inspec 1.0.0.beta2 → 1.0.0.beta3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (95) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +41 -2
  3. data/Gemfile +4 -0
  4. data/Rakefile +2 -1
  5. data/docs/.gitignore +2 -0
  6. data/docs/README.md +21 -1
  7. data/docs/resources/apache_conf.md.erb +75 -0
  8. data/docs/resources/apt.md.erb +84 -0
  9. data/docs/resources/audit_policy.md.erb +61 -0
  10. data/docs/resources/auditd_conf.md.erb +79 -0
  11. data/docs/resources/auditd_rules.md.erb +132 -0
  12. data/docs/resources/bash.md.erb +84 -0
  13. data/docs/resources/bond.md.erb +97 -0
  14. data/docs/resources/bridge.md.erb +67 -0
  15. data/docs/resources/bsd_service.md.erb +76 -0
  16. data/docs/resources/command.md.erb +151 -0
  17. data/docs/resources/csv.md.erb +62 -0
  18. data/docs/resources/directory.md.erb +43 -0
  19. data/docs/resources/etc_group.md.erb +116 -0
  20. data/docs/resources/etc_passwd.md.erb +155 -0
  21. data/docs/resources/etc_shadow.md.erb +149 -0
  22. data/docs/resources/file.md.erb +460 -0
  23. data/docs/resources/gem.md.erb +73 -0
  24. data/docs/resources/group.md.erb +74 -0
  25. data/docs/resources/grub_conf.md.erb +115 -0
  26. data/docs/resources/host.md.erb +85 -0
  27. data/docs/resources/iis_site.md.erb +142 -0
  28. data/docs/resources/inetd_conf.md.erb +99 -0
  29. data/docs/resources/ini.md.erb +69 -0
  30. data/docs/resources/interface.md.erb +66 -0
  31. data/docs/resources/iptables.md.erb +70 -0
  32. data/docs/resources/json.md.erb +76 -0
  33. data/docs/resources/kernel_module.md.erb +60 -0
  34. data/docs/resources/kernel_parameter.md.erb +72 -0
  35. data/docs/resources/launchd_service.md.erb +76 -0
  36. data/docs/resources/limits_conf.md.erb +80 -0
  37. data/docs/resources/login_def.md.erb +77 -0
  38. data/docs/resources/mount.md.erb +83 -0
  39. data/docs/resources/mysql_conf.md.erb +102 -0
  40. data/docs/resources/mysql_session.md.erb +63 -0
  41. data/docs/resources/npm.md.erb +75 -0
  42. data/docs/resources/ntp_conf.md.erb +76 -0
  43. data/docs/resources/oneget.md.erb +67 -0
  44. data/docs/resources/os.md.erb +154 -0
  45. data/docs/resources/os_env.md.erb +98 -0
  46. data/docs/resources/package.md.erb +115 -0
  47. data/docs/resources/parse_config.md.erb +122 -0
  48. data/docs/resources/parse_config_file.md.erb +143 -0
  49. data/docs/resources/pip.md.erb +74 -0
  50. data/docs/resources/port.md.erb +150 -0
  51. data/docs/resources/postgres_conf.md.erb +90 -0
  52. data/docs/resources/postgres_session.md.erb +75 -0
  53. data/docs/resources/powershell.md.erb +116 -0
  54. data/docs/resources/process.md.erb +73 -0
  55. data/docs/resources/registry_key.md.erb +149 -0
  56. data/docs/resources/runit_service.md.erb +76 -0
  57. data/docs/resources/security_policy.md.erb +61 -0
  58. data/docs/resources/service.md.erb +135 -0
  59. data/docs/resources/ssh_config.md.erb +94 -0
  60. data/docs/resources/sshd_config.md.erb +97 -0
  61. data/docs/resources/ssl.md.erb +133 -0
  62. data/docs/resources/sys_info.md.erb +55 -0
  63. data/docs/resources/systemd_service.md.erb +76 -0
  64. data/docs/resources/sysv_service.md.erb +76 -0
  65. data/docs/resources/upstart_service.md.erb +76 -0
  66. data/docs/resources/user.md.erb +154 -0
  67. data/docs/resources/users.md.erb +140 -0
  68. data/docs/resources/vbscript.md.erb +69 -0
  69. data/docs/resources/windows_feature.md.erb +61 -0
  70. data/docs/resources/wmi.md.erb +95 -0
  71. data/docs/resources/xinetd_conf.md.erb +170 -0
  72. data/docs/resources/yaml.md.erb +69 -0
  73. data/docs/resources/yum.md.erb +103 -0
  74. data/docs/ruby_usage.md +154 -0
  75. data/docs/shared/matcher_be.md.erb +1 -0
  76. data/docs/shared/matcher_cmp.md.erb +45 -0
  77. data/docs/shared/matcher_eq.md.erb +3 -0
  78. data/docs/shared/matcher_include.md.erb +1 -0
  79. data/docs/shared/matcher_match.md.erb +1 -0
  80. data/lib/fetchers/url.rb +27 -29
  81. data/lib/inspec/cached_fetcher.rb +67 -0
  82. data/lib/inspec/dependencies/requirement.rb +6 -7
  83. data/lib/inspec/objects/each_loop.rb +5 -2
  84. data/lib/inspec/plugins/fetcher.rb +2 -0
  85. data/lib/inspec/profile.rb +9 -41
  86. data/lib/inspec/resource.rb +1 -1
  87. data/lib/inspec/rspec_json_formatter.rb +11 -5
  88. data/lib/inspec/version.rb +1 -1
  89. data/lib/resources/groups.rb +190 -0
  90. data/lib/resources/users.rb +3 -2
  91. metadata +79 -6
  92. data/docs/cli.rst +0 -448
  93. data/docs/resources.rst +0 -4836
  94. data/docs/ruby_usage.rst +0 -145
  95. data/lib/resources/group.rb +0 -137
data/docs/resources.rst DELETED
@@ -1,4836 +0,0 @@
1
- =====================================================
2
- InSpec Resources Reference
3
- =====================================================
4
-
5
- The following InSpec audit resources are available:
6
-
7
- * `apache_conf`_
8
- * `apt`_
9
- * `audit_policy`_
10
- * `auditd_conf`_
11
- * `auditd_rules`_
12
- * `bash`_
13
- * `bond`_
14
- * `bridge`_
15
- * `csv`_
16
- * `command`_
17
- * `directory`_
18
- * `etc_group`_
19
- * `file`_
20
- * `gem`_
21
- * `group <https://github.com/chef/inspec/blob/master/docs/resources.rst#group-1/>`_
22
- * `grub_conf`_
23
- * `host`_
24
- * `iis_site`_
25
- * `inetd_conf`_
26
- * `ini`_
27
- * `interface`_
28
- * `iptables`_
29
- * `kernel_module`_
30
- * `kernel_parameter`_
31
- * `limits_conf`_
32
- * `login_defs`_
33
- * `mount`_
34
- * `mysql_conf`_
35
- * `mysql_session`_
36
- * `npm`_
37
- * `ntp_conf`_
38
- * `oneget`_
39
- * `os`_
40
- * `os_env`_
41
- * `package`_
42
- * `parse_config`_
43
- * `parse_config_file`_
44
- * `passwd`_
45
- * `pip`_
46
- * `port`_
47
- * `postgres_conf`_
48
- * `postgres_session`_
49
- * `powershell`_
50
- * `processes`_
51
- * `registry_key`_
52
- * `security_policy`_
53
- * `service`_
54
- * `ssh_config`_
55
- * `sshd_config`_
56
- * `user`_
57
- * `windows_feature`_
58
- * `yaml`_
59
- * `yum`_
60
-
61
- See below for more information about each InSpec audit resource, its related matchers, and examples of how to use it in a recipe.
62
-
63
-
64
- apache_conf
65
- =====================================================
66
- Use the ``apache_conf`` |inspec resource| to test the configuration settings for |apache|. This file is typically located under ``/etc/apache2`` on the |debian| and |ubuntu| platforms and under ``/etc/httpd`` on the |fedora|, |centos|, |redhat enterprise linux|, and |archlinux| platforms. The configuration settings may vary significantly from platform to platform.
67
-
68
- **Stability: Experimental**
69
-
70
- Syntax
71
- -----------------------------------------------------
72
- An ``apache_conf`` |inspec resource| block declares configuration settings that should be tested:
73
-
74
- .. code-block:: ruby
75
-
76
- describe apache_conf('path') do
77
- its('setting_name') { should eq 'value' }
78
- end
79
-
80
- where
81
-
82
- * ``'setting_name'`` is a configuration setting defined in the |apache| configuration file
83
- * ``('path')`` is the non-default path to the |apache| configuration file
84
- * ``{ should eq 'value' }`` is the value that is expected
85
-
86
- Matchers
87
- -----------------------------------------------------
88
- This |inspec resource| matches any service that is listed in the |apache| configuration file:
89
-
90
- .. code-block:: ruby
91
-
92
- its('PidFile') { should_not eq '/var/run/httpd.pid' }
93
-
94
- or:
95
-
96
- .. code-block:: ruby
97
-
98
- its('Timeout') { should eq 300 }
99
-
100
- For example:
101
-
102
- .. code-block:: ruby
103
-
104
- describe apache_conf do
105
- its('MaxClients') { should eq 100 }
106
- its('Listen') { should eq '443'}
107
- end
108
-
109
- Examples
110
- -----------------------------------------------------
111
- The following examples show how to use this InSpec audit resource in a test.
112
-
113
- **Test for blocking .htaccess files on CentOS**
114
-
115
- .. code-block:: ruby
116
-
117
- describe apache_conf do
118
- its('AllowOverride') { should eq 'None' }
119
- end
120
-
121
- **Test ports for SSL**
122
-
123
- .. code-block:: ruby
124
-
125
- describe apache_conf do
126
- its('Listen') { should eq '443'}
127
- end
128
-
129
-
130
- apt
131
- =====================================================
132
- Use the ``apt`` |inspec resource| to verify |apt| repositories on the |debian| and |ubuntu| platforms, and also |ppa| repositories on the |ubuntu| platform.
133
-
134
- **Stability: Stable**
135
-
136
- Syntax
137
- -----------------------------------------------------
138
- An ``apt`` |inspec resource| block tests the contents of |apt| and |ppa| repositories:
139
-
140
- .. code-block:: ruby
141
-
142
- describe apt('path') do
143
- it { should exist }
144
- it { should be_enabled }
145
- end
146
-
147
- where
148
-
149
- * ``apt('path')`` must specify an |apt| or |ppa| repository
150
- * ``('path')`` may be an ``http://`` address, a ``ppa:`` address, or a short ``repo-name/ppa`` address
151
- * ``exist`` and ``be_enabled`` are a valid matchers for this |inspec resource|
152
-
153
- Matchers
154
- -----------------------------------------------------
155
- This InSpec audit resource has the following matchers.
156
-
157
- be_enabled
158
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
159
- The ``be_enabled`` matcher tests if a package exists in the repository:
160
-
161
- .. code-block:: ruby
162
-
163
- it { should be_enabled }
164
-
165
- exist
166
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
167
- The ``exist`` matcher tests if a package exists on the system:
168
-
169
- .. code-block:: ruby
170
-
171
- it { should exist }
172
-
173
- Examples
174
- -----------------------------------------------------
175
- The following examples show how to use this InSpec audit resource in a test.
176
-
177
- **Test if apt repository exists and is enabled**
178
-
179
- .. code-block:: ruby
180
-
181
- describe apt('http://ppa.launchpad.net/juju/stable/ubuntu') do
182
- it { should exist }
183
- it { should be_enabled }
184
- end
185
-
186
- **Verify that a PPA repository exists and is enabled**
187
-
188
- .. code-block:: ruby
189
-
190
- describe apt('ppa:nginx/stable') do
191
- it { should exist }
192
- it { should be_enabled }
193
- end
194
-
195
- **Verify that a repository is not present**
196
-
197
- .. code-block:: ruby
198
-
199
- describe apt('ubuntu-wine/ppa') do
200
- it { should_not exist }
201
- it { should_not be_enabled }
202
- end
203
-
204
-
205
-
206
- audit_policy
207
- =====================================================
208
- Use the ``audit_policy`` |inspec resource| to test auditing policies on the |windows| platform. An auditing policy is a category of security-related events to be audited. Auditing is disabled by default and may be enabled for categories like account management, logon events, policy changes, process tracking, privilege use, system events, or object access. For each auditing category property that is enabled, the auditing level may be set to ``No Auditing``, ``Not Specified``, ``Success``, ``Success and Failure``, or ``Failure``.
209
-
210
- **Stability: Experimental**
211
-
212
- Syntax
213
- -----------------------------------------------------
214
- An ``audit_policy`` |inspec resource| block declares a parameter that belongs to an audit policy category or subcategory:
215
-
216
- .. code-block:: ruby
217
-
218
- describe audit_policy do
219
- its('parameter') { should eq 'value' }
220
- end
221
-
222
- where
223
-
224
- * ``'parameter'`` must specify a parameter
225
- * ``'value'`` must be one of ``No Auditing``, ``Not Specified``, ``Success``, ``Success and Failure``, or ``Failure``
226
-
227
- Matchers
228
- -----------------------------------------------------
229
- This InSpec audit resource does not have any matchers.
230
-
231
- Examples
232
- -----------------------------------------------------
233
- The following examples show how to use this InSpec audit resource.
234
-
235
- **Test that a parameter is not set to "No Auditing"**
236
-
237
- .. code-block:: ruby
238
-
239
- describe audit_policy do
240
- its('Other Account Logon Events') { should_not eq 'No Auditing' }
241
- end
242
-
243
- **Test that a parameter is set to "Success"**
244
-
245
- .. code-block:: ruby
246
-
247
- describe audit_policy do
248
- its('User Account Management') { should eq 'Success' }
249
- end
250
-
251
-
252
-
253
- auditd_conf
254
- =====================================================
255
- Use the ``auditd_conf`` |inspec resource| to test the configuration settings for the audit daemon. This file is typically located under ``/etc/audit/auditd.conf'`` on |unix| and |linux| platforms.
256
-
257
- **Stability: Experimental**
258
-
259
- Syntax
260
- -----------------------------------------------------
261
- A ``auditd_conf`` |inspec resource| block declares configuration settings that should be tested:
262
-
263
- .. code-block:: ruby
264
-
265
- describe auditd_conf('path') do
266
- its('keyword') { should cmp 'value' }
267
- end
268
-
269
- where
270
-
271
- * ``'keyword'`` is a configuration setting defined in the ``auditd.conf`` configuration file
272
- * ``('path')`` is the non-default path to the ``auditd.conf`` configuration file
273
- * ``{ should eq 'value' }`` is the value that is expected
274
-
275
- Matchers
276
- -----------------------------------------------------
277
- This |inspec resource| matches any keyword that is listed in the ``auditd.conf`` configuration file. Since all option names and values are case insensitive for ``auditd_conf``, we recommend to compare values with `cmp` instead of the `eq`:
278
-
279
- .. code-block:: ruby
280
-
281
- its('log_format') { should cmp 'raw' }
282
- its('max_log_file') { should cmp 6 }
283
-
284
- Examples
285
- -----------------------------------------------------
286
- The following examples show how to use this InSpec audit resource.
287
-
288
- **Test the auditd.conf file**
289
-
290
- .. code-block:: ruby
291
-
292
- describe auditd_conf do
293
- its('log_file') { should cmp '/full/path/to/file' }
294
- its('log_format') { should cmp 'raw' }
295
- its('flush') { should cmp 'none' }
296
- its('freq') { should cmp 1 }
297
- its('num_logs') { should cmp 0 }
298
- its('max_log_file') { should cmp 6 }
299
- its('max_log_file_action') { should cmp 'email' }
300
- its('space_left') { should cmp 2 }
301
- its('action_mail_acct') { should cmp 'root' }
302
- its('space_left_action') { should cmp 'email' }
303
- its('admin_space_left') { should cmp 1 }
304
- its('admin_space_left_action') { should cmp 'halt' }
305
- its('disk_full_action') { should cmp 'halt' }
306
- its('disk_error_action') { should cmp 'halt' }
307
- end
308
-
309
-
310
-
311
- auditd_rules
312
- =====================================================
313
- Use the ``auditd_rules`` |inspec resource| to test the rules for logging that exist on the system. The ``audit.rules`` file is typically located under ``/etc/audit/`` and contains the list of rules that define what is captured in log files. This resource uses `auditctl` to query the _run-time_ auditd rules setup (which may divert from `audit.rules`).
314
-
315
- **Stability: Experimental**
316
-
317
- Syntax
318
- -----------------------------------------------------
319
- A change in the output format (with an `audit` package version 2.3 or newer) is reflected in two interfaces included in `auditd_rules`:
320
-
321
- A ``auditd_rules`` |inspec resource| block declares one (or more) rules to be tested, and then what that rule should do:
322
-
323
- .. code-block:: ruby
324
-
325
- describe auditd_rules do
326
- its('LIST_RULES') { should eq [
327
- 'exit,always syscall=rmdir,unlink',
328
- 'exit,always auid=1001 (0x3e9) syscall=open',
329
- 'exit,always watch=/etc/group perm=wa',
330
- 'exit,always watch=/etc/passwd perm=wa',
331
- 'exit,always watch=/etc/shadow perm=wa',
332
- 'exit,always watch=/etc/sudoers perm=wa',
333
- 'exit,always watch=/etc/secret_directory perm=r',
334
- ] }
335
- end
336
-
337
- or test that individual rules are defined:
338
-
339
- .. code-block:: ruby
340
-
341
- describe auditd_rules do
342
- its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/group perm=wa key=identity/) }
343
- its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/passwd perm=wa key=identity/) }
344
- its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/gshadow perm=wa key=identity/)}
345
- its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/shadow perm=wa key=identity/)}
346
- its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/security\/opasswd perm=wa key=identity/)}
347
- end
348
-
349
- where each test
350
-
351
- * must declare one (or more) rules to be tested
352
-
353
- Examples
354
- -----------------------------------------------------
355
- The following examples show how to use this InSpec audit resource.
356
-
357
- **Test if a rule contains a matching element that is identified by a regular expression.**
358
-
359
- .. code-block:: ruby
360
-
361
- # syntax for audit < 2.3
362
- describe audit_daemon_rules do
363
- its("LIST_RULES") {
364
- should contain_match(/^exit,always arch=.* key=time-change syscall=adjtimex,settimeofday/)
365
- }
366
- end
367
-
368
- # syntax for auditd >= 2.3
369
- describe auditd_rules do
370
- its('lines') { should contain_match(%r{-w /etc/ssh/sshd_config/}) }
371
- end
372
-
373
- The syntax for recent auditd versions allows more precise tests, such as the following:
374
-
375
- **Query the audit daemon status.**
376
-
377
- .. code-block:: ruby
378
-
379
- describe auditd_rules.status('backlog') do
380
- it { should cmp 0 }
381
- end
382
-
383
- **Query properties of rules targeting specific syscalls or files.**
384
-
385
- .. code-block:: ruby
386
-
387
- describe auditd_rules.syscall('open').action do
388
- it { should eq(['always']) }
389
- end
390
-
391
- describe auditd_rules.key('sshd_config') do
392
- its('permissions') { should contain_match(/x/) }
393
- end
394
-
395
- Note that filters can be chained, for example:
396
-
397
- .. code-block:: ruby
398
-
399
- describe auditd_rules.syscall('open').action('always').list do
400
- it { should eq(['exit']) }
401
- end
402
-
403
-
404
-
405
-
406
- bash
407
- =====================================================
408
- Use the ``bash`` |inspec resource| to test an arbitrary command in BASH on the system.
409
-
410
- **Stability: Stable**
411
-
412
- Syntax
413
- -----------------------------------------------------
414
- A ``bash`` |inspec resource| block declares a command to be run, one (or more) expected outputs, and the location to which that output is sent:
415
-
416
- .. code-block:: ruby
417
-
418
- describe bash('command') do
419
- it { should exist }
420
- its('matcher') { should eq 'output' }
421
- end
422
-
423
- where
424
-
425
- * ``'command'`` must specify a command to be run
426
- * ``'matcher'`` is one of ``exit_status``, ``stderr``, or ``stdout``
427
- * ``'output'`` tests the output of the command run on the system versus the output value stated in the test
428
-
429
- Matchers
430
- -----------------------------------------------------
431
- This InSpec audit resource has the following matchers.
432
-
433
- exist
434
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
435
- The ``exist`` matcher tests if a command may be run on the system:
436
-
437
- .. code-block:: ruby
438
-
439
- it { should exist }
440
-
441
- exit_status
442
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
443
- The ``exit_status`` matcher tests the exit status for the command:
444
-
445
- .. code-block:: ruby
446
-
447
- its('exit_status') { should eq 123 }
448
-
449
- stderr
450
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
451
- The ``stderr`` matcher tests results of the command as returned in standard error (stderr):
452
-
453
- .. code-block:: ruby
454
-
455
- its('stderr') { should eq 'error' }
456
-
457
- stdout
458
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
459
- The ``stdout`` matcher tests results of the command as returned in standard output (stdout):
460
-
461
- .. code-block:: ruby
462
-
463
- its('stdout') { should match /^1$/ }
464
-
465
- Examples
466
- -----------------------------------------------------
467
- The following examples show how to use this InSpec audit resource.
468
-
469
- **List content of a directorye**
470
-
471
- .. code-block:: ruby
472
-
473
- describe bash('ls -al /') do
474
- its('stdout') { should match /bin/ }
475
- its('stderr') { should eq '' }
476
- its('exit_status') { should eq 0 }
477
- end
478
-
479
- **Test standard output (stdout)**
480
-
481
- .. code-block:: ruby
482
-
483
- describe bash('echo hello') do
484
- its('stdout') { should eq 'hello\n' }
485
- its('stderr') { should eq '' }
486
- its('exit_status') { should eq 0 }
487
- end
488
-
489
- **Test standard error (stderr)**
490
-
491
- .. code-block:: ruby
492
-
493
- describe bash('>&2 echo error') do
494
- its('stdout') { should eq '' }
495
- its('stderr') { should eq 'error\n' }
496
- its('exit_status') { should eq 0 }
497
- end
498
-
499
- **Test an exit status code**
500
-
501
- .. code-block:: ruby
502
-
503
- describe bash('exit 123') do
504
- its('stdout') { should eq '' }
505
- its('stderr') { should eq '' }
506
- its('exit_status') { should eq 123 }
507
- end
508
-
509
- **Specify the path of the bash executable**
510
-
511
- .. code-block:: ruby
512
-
513
- describe bash('echo hello', path: '/bin/bash') do
514
- its('stdout') { should eq 'hello\n' }
515
- end
516
-
517
- **Specify bash arguments (defaults to -c)**
518
-
519
- .. code-block:: ruby
520
-
521
- describe bash('echo hello', args: '-x -c') do
522
- its('stdout') { should eq 'hello\n' }
523
- end
524
-
525
-
526
-
527
-
528
- bond
529
- =====================================================
530
- Use the ``bond`` |inspec resource| to test a logical, bonded network interface (i.e. "two or more network interfaces aggregated into a single, logical network interface"). On |linux| platforms, any value in the ``/proc/net/bonding`` directory may be tested.
531
-
532
- **Stability: Stable**
533
-
534
- Syntax
535
- -----------------------------------------------------
536
- A ``bond`` |inspec resource| block declares a bonded network interface, and then specifies the properties of that bonded network interface to be tested:
537
-
538
- .. code-block:: ruby
539
-
540
- describe bond('name') do
541
- it { should exist }
542
- end
543
-
544
- where
545
-
546
- * ``'name'`` is the name of the bonded network interface
547
- * ``{ should exist }`` is a valid matcher for this |inspec resource|
548
-
549
- Matchers
550
- -----------------------------------------------------
551
- This InSpec audit resource has the following matchers.
552
-
553
- content
554
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
555
- The ``content`` matcher tests if contents in the file that defines the bonded network interface match the value specified in the test. The values of the ``content`` matcher are arbitrary:
556
-
557
- .. code-block:: ruby
558
-
559
- its('content') { should match('value') }
560
-
561
- exist
562
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
563
- The ``exist`` matcher tests if the bonded network interface is available:
564
-
565
- .. code-block:: ruby
566
-
567
- it { should exist }
568
-
569
- have_interface
570
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
571
- The ``have_interface`` matcher tests if the bonded network interface has one (or more) secondary interfaces:
572
-
573
- .. code-block:: ruby
574
-
575
- it { should have_interface }
576
-
577
- interfaces
578
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
579
- The ``interfaces`` matcher tests if the named secondary interfaces are available:
580
-
581
- .. code-block:: ruby
582
-
583
- its('interfaces') { should eq ['eth0', 'eth1', ...] }
584
-
585
- params
586
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
587
- The ``params`` matcher tests arbitrary parameters for the bonded network interface:
588
-
589
- .. code-block:: ruby
590
-
591
- its('params') { should eq 'value' }
592
-
593
- Examples
594
- -----------------------------------------------------
595
- The following examples show how to use this InSpec audit resource.
596
-
597
- **Test if eth0 is a secondary interface for bond0**
598
-
599
- .. code-block:: ruby
600
-
601
- describe bond('bond0') do
602
- it { should exist }
603
- it { should have_interface 'eth0' }
604
- end
605
-
606
- **Test parameters for bond0**
607
-
608
- .. code-block:: ruby
609
-
610
- describe bond('bond0') do
611
- its('Bonding Mode') { should eq 'IEEE 802.3ad Dynamic link aggregation' }
612
- its('Transmit Hash Policy') { should eq 'layer3+4 (1)' }
613
- its('MII Status') { should eq 'up' }
614
- its('MII Polling Interval (ms)') { should eq '100' }
615
- its('Up Delay (ms)') { should eq '0' }
616
- its('Down Delay (ms)') { should eq '0' }
617
- end
618
-
619
-
620
-
621
-
622
-
623
- bridge
624
- =====================================================
625
- Use the ``bridge`` |inspec resource| to test basic network bridge properties, such as name, if an interface is defined, and the associations for any defined interface.
626
-
627
- * On |linux| platforms, any value in the ``/sys/class/net/{interface}/bridge`` directory may be tested
628
- * On the |windows| platform, the ``Get-NetAdapter`` cmdlet is associated with the ``Get-NetAdapterBinding`` cmdlet and returns the ``ComponentID ms_bridge`` value as a |json| object
629
-
630
- .. not sure the previous two bullet items are actually true, but keeping there for reference for now, just in case
631
-
632
- **Stability: Stable**
633
-
634
- Syntax
635
- -----------------------------------------------------
636
- A ``bridge`` |inspec resource| block declares the bridge to be tested and what interface it should be associated with:
637
-
638
- .. code-block:: ruby
639
-
640
- describe bridge('br0') do
641
- it { should exist }
642
- it { should have_interface 'eth0' }
643
- end
644
-
645
- ..
646
- .. where
647
- ..
648
- .. * ``xxxxx`` must specify xxxxx
649
- .. * xxxxx
650
- .. * ``xxxxx`` is a valid matcher for this InSpec audit resource
651
- ..
652
-
653
-
654
- Matchers
655
- -----------------------------------------------------
656
- This InSpec audit resource has the following matchers.
657
-
658
- exist
659
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
660
- The ``exist`` matcher tests if the network bridge is available:
661
-
662
- .. code-block:: ruby
663
-
664
- it { should exist }
665
-
666
- have_interface
667
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
668
- The ``have_interface`` matcher tests if the named interface is defined for the network bridge:
669
-
670
- .. code-block:: ruby
671
-
672
- it { should have_interface 'eth0' }
673
-
674
- interfaces
675
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
676
- The ``interfaces`` matcher tests if the named interface is present:
677
-
678
- .. code-block:: ruby
679
-
680
- its('interfaces') { should eq 'foo' }
681
- its('interfaces') { should eq 'bar' }
682
- its('interfaces') { should include('foo') }
683
-
684
- ..
685
- .. Examples
686
- .. -----------------------------------------------------
687
- .. The following examples show how to use this InSpec audit resource.
688
- ..
689
- .. **xxxxx**
690
- ..
691
- .. xxxxx
692
- ..
693
- .. **xxxxx**
694
- ..
695
- .. xxxxx
696
- ..
697
-
698
-
699
-
700
-
701
- command
702
- =====================================================
703
- Use the ``command`` |inspec resource| to test an arbitrary command that is run on the system.
704
-
705
- **Stability: Stable**
706
-
707
- Syntax
708
- -----------------------------------------------------
709
- A ``command`` |inspec resource| block declares a command to be run, one (or more) expected outputs, and the location to which that output is sent:
710
-
711
- .. code-block:: ruby
712
-
713
- describe command('command') do
714
- it { should exist }
715
- its('matcher') { should eq 'output' }
716
- end
717
-
718
- where
719
-
720
- * ``'command'`` must specify a command to be run
721
- * ``'matcher'`` is one of ``exit_status``, ``stderr``, or ``stdout``
722
- * ``'output'`` tests the output of the command run on the system versus the output value stated in the test
723
-
724
- Matchers
725
- -----------------------------------------------------
726
- This InSpec audit resource has the following matchers.
727
-
728
- exist
729
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
730
- The ``exist`` matcher tests if a command may be run on the system:
731
-
732
- .. code-block:: ruby
733
-
734
- it { should exist }
735
-
736
- exit_status
737
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
738
- The ``exit_status`` matcher tests the exit status for the command:
739
-
740
- .. code-block:: ruby
741
-
742
- its('exit_status') { should eq 123 }
743
-
744
- stderr
745
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
746
- The ``stderr`` matcher tests results of the command as returned in standard error (stderr):
747
-
748
- .. code-block:: ruby
749
-
750
- its('stderr') { should eq 'error' }
751
-
752
- stdout
753
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
754
- The ``stdout`` matcher tests results of the command as returned in standard output (stdout):
755
-
756
- .. code-block:: ruby
757
-
758
- its('stdout') { should match /^1$/ }
759
-
760
- Examples
761
- -----------------------------------------------------
762
- The following examples show how to use this InSpec audit resource.
763
-
764
- **Test for PostgreSQL database running a RC, but no development, or beta release**
765
-
766
- .. code-block:: ruby
767
-
768
- describe command('psql -V') do
769
- its('stdout') { should match /RC/ }
770
- its('stdout') { should_not match /DEVEL/ }
771
- its('stdout') { should_not match /BETA/ }
772
- end
773
-
774
- **Test standard output (stdout)**
775
-
776
- .. code-block:: ruby
777
-
778
- describe command('echo hello') do
779
- its('stdout') { should eq 'hello\n' }
780
- its('stderr') { should eq '' }
781
- its('exit_status') { should eq 0 }
782
- end
783
-
784
- **Test standard error (stderr)**
785
-
786
- .. code-block:: ruby
787
-
788
- describe command('>&2 echo error') do
789
- its('stdout') { should eq '' }
790
- its('stderr') { should eq 'error\n' }
791
- its('exit_status') { should eq 0 }
792
- end
793
-
794
- **Test an exit status code**
795
-
796
- .. code-block:: ruby
797
-
798
- describe command('exit 123') do
799
- its('stdout') { should eq '' }
800
- its('stderr') { should eq '' }
801
- its('exit_status') { should eq 123 }
802
- end
803
-
804
- **Test if the command shell exists**
805
-
806
- .. code-block:: ruby
807
-
808
- describe command('/bin/sh').exist? do
809
- it { should eq true }
810
- end
811
-
812
- **Test for a command that should not exist**
813
-
814
- .. code-block:: ruby
815
-
816
- describe command('this is not existing').exist? do
817
- it { should eq false }
818
- end
819
-
820
-
821
-
822
-
823
- csv
824
- =====================================================
825
- Use the ``csv`` |inspec resource| to test configuration data in a |csv| file.
826
-
827
- **Stability: Experimental**
828
-
829
- Syntax
830
- -----------------------------------------------------
831
- A ``csv`` |inspec resource| block declares the configuration data to be tested:
832
-
833
- .. code-block:: ruby
834
-
835
- describe csv('file') do
836
- its('name') { should eq 'foo' }
837
- end
838
-
839
- where
840
-
841
- * ``'file'`` is the path to a |csv| file
842
- * ``name`` is a configuration setting in a |csv| file
843
- * ``should eq 'foo'`` tests a value of ``name`` as read from a |csv| file versus the value declared in the test
844
-
845
- Matchers
846
- -----------------------------------------------------
847
- This InSpec audit resource has the following matchers.
848
-
849
- name
850
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
851
- The ``name`` matcher tests the value of ``name`` as read from a |csv| file versus the value declared in the test:
852
-
853
- .. code-block:: ruby
854
-
855
- its('name') { should eq 'foo' }
856
-
857
- Examples
858
- -----------------------------------------------------
859
- The following examples show how to use this InSpec audit resource.
860
-
861
- **Test a CSV file**
862
-
863
- .. code-block:: ruby
864
-
865
- describe csv('some_file.csv') do
866
- its('setting') { should eq 1 }
867
- end
868
-
869
-
870
-
871
- directory
872
- =====================================================
873
- Use the ``directory`` |inspec resource| to test if the file type is a directory. This is equivalent to using the ``file`` |inspec resource| and the ``be_directory`` matcher, but provides a simpler and more direct way to test directories. All of the matchers available to ``file`` may be used with ``directory``.
874
-
875
- **Stability: Experimental**
876
-
877
- Syntax
878
- -----------------------------------------------------
879
- A ``directory`` |inspec resource| block declares the location of the directory to be tested, and then one (or more) matchers:
880
-
881
- .. code-block:: ruby
882
-
883
- describe directory('path') do
884
- it { should MATCHER 'value' }
885
- end
886
-
887
- Matchers
888
- -----------------------------------------------------
889
- This |inspec resource| may use any of the matchers available to the ``file`` resource that are useful for testing a directory.
890
-
891
- ..
892
- .. Examples
893
- .. -----------------------------------------------------
894
- .. The following examples show how to use this InSpec audit resource.
895
- ..
896
- .. **xxxxx**
897
- ..
898
- .. xxxxx
899
- ..
900
- .. **xxxxx**
901
- ..
902
- .. xxxxx
903
- ..
904
-
905
-
906
- etc_group
907
- =====================================================
908
- Use the ``etc_group`` |inspec resource| to test groups that are defined on |linux| and |unix| platforms. The ``/etc/group`` file stores details about each group---group name, password, group identifier, along with a comma-separate list of users that belong to the group.
909
-
910
- **Stability: Experimental**
911
-
912
- Syntax
913
- -----------------------------------------------------
914
- A ``etc_group`` |inspec resource| block declares a collection of properties to be tested:
915
-
916
- .. code-block:: ruby
917
-
918
- describe etc_group('path') do
919
- its('matcher') { should eq 'some_value' }
920
- end
921
-
922
- or:
923
-
924
- .. code-block:: ruby
925
-
926
- describe etc_group.where(item: 'value', item: 'value') do
927
- its('gids') { should_not contain_duplicates }
928
- its('groups') { should include 'user_name' }
929
- its('users') { should include 'user_name' }
930
- end
931
-
932
- where
933
-
934
- * ``('path')`` is the non-default path to the ``inetd.conf`` file
935
- * ``.where()`` may specify a specific item and value, to which the matchers are compared
936
- * ``'gids'``, ``'groups'``, and ``'users'`` are valid matchers for this |inspec resource|
937
-
938
- Matchers
939
- -----------------------------------------------------
940
- This InSpec audit resource has the following matchers.
941
-
942
- gids
943
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
944
- The ``gids`` matcher tests if the named group identifier is present or if it contains duplicates:
945
-
946
- .. code-block:: ruby
947
-
948
- its('gids') { should_not contain_duplicates }
949
-
950
- groups
951
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
952
- The ``groups`` matcher tests all groups for the named user:
953
-
954
- .. code-block:: ruby
955
-
956
- its('groups') { should include 'my_group' }
957
-
958
- users
959
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
960
- The ``users`` matcher tests all groups for the named user:
961
-
962
- .. code-block:: ruby
963
-
964
- its('users') { should include 'my_user' }
965
-
966
- where
967
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
968
- The ``where`` matcher allows the test to be focused to one (or more) specific items:
969
-
970
- .. code-block:: ruby
971
-
972
- etc_group.where(item: 'value', item: 'value')
973
-
974
- where ``item`` may be one (or more) of:
975
-
976
- * ``name: 'name'``
977
- * ``group_name: 'group_name'``
978
- * ``password: 'password'``
979
- * ``gid: 'gid'``
980
- * ``group_id: 'gid'``
981
- * ``users: 'user_name'``
982
- * ``members: 'member_name'``
983
-
984
- Examples
985
- -----------------------------------------------------
986
- The following examples show how to use this InSpec audit resource.
987
-
988
- **Test group identifiers (GIDs) for duplicates**
989
-
990
- .. code-block:: ruby
991
-
992
- describe etc_group do
993
- its('gids') { should_not contain_duplicates }
994
- end
995
-
996
- **Test all groups to see if a specific user belongs to one (or more) groups**
997
-
998
- .. code-block:: ruby
999
-
1000
- describe etc_group do
1001
- its('groups') { should include 'my_group' }
1002
- end
1003
-
1004
-
1005
- **Test all groups for a specific user name**
1006
-
1007
- .. code-block:: ruby
1008
-
1009
- describe etc_group do
1010
- its('users') { should include 'my_user' }
1011
- end
1012
-
1013
- **Filter a list of groups for a specific user**
1014
-
1015
- .. code-block:: ruby
1016
-
1017
- describe etc_group.where(name: 'my_group') do
1018
- its('users') { should include 'my_user' }
1019
- end
1020
-
1021
-
1022
-
1023
- file
1024
- =====================================================
1025
- Use the ``file`` |inspec resource| to test all system file types, including files, directories, symbolic links, named pipes, sockets, character devices, block devices, and doors.
1026
-
1027
- **Stability: Stable**
1028
-
1029
- Syntax
1030
- -----------------------------------------------------
1031
- A ``file`` |inspec resource| block declares the location of the file type to be tested, what type that file should be (if required), and then one (or more) matchers:
1032
-
1033
- .. code-block:: ruby
1034
-
1035
- describe file('path') do
1036
- it { should MATCHER 'value' }
1037
- end
1038
-
1039
- where
1040
-
1041
- * ``('path')`` is the name of the file and/or the path to the file
1042
- * ``MATCHER`` is a valid matcher for this |inspec resource|
1043
- * ``'value'`` is the value to be tested
1044
-
1045
- Matchers
1046
- -----------------------------------------------------
1047
- This InSpec audit resource has the following matchers.
1048
-
1049
- be_block_device
1050
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1051
- The ``be_block_device`` matcher tests if the file exists as a block device, such as ``/dev/disk0`` or ``/dev/disk0s9``:
1052
-
1053
- .. code-block:: ruby
1054
-
1055
- it { should be_block_device }
1056
-
1057
- be_character_device
1058
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1059
- The ``be_character_device`` matcher tests if the file exists as a character device (that corresponds to a block device), such as ``/dev/rdisk0`` or ``/dev/rdisk0s9``:
1060
-
1061
- .. code-block:: ruby
1062
-
1063
- it { should be_character_device }
1064
-
1065
- be_directory
1066
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1067
- The ``be_directory`` matcher tests if the file exists as a directory, such as ``/etc/passwd``, ``/etc/shadow``, or ``/var/log/httpd``:
1068
-
1069
- .. code-block:: ruby
1070
-
1071
- it { should be_directory }
1072
-
1073
- be_executable
1074
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1075
- The ``be_executable`` matcher tests if the file exists as an executable:
1076
-
1077
- .. code-block:: ruby
1078
-
1079
- it { should be_executable }
1080
-
1081
- The ``be_executable`` matcher may also test if the file is executable by a specific owner, group, or user. For example, a group:
1082
-
1083
- .. code-block:: ruby
1084
-
1085
- it { should be_executable.by('group') }
1086
-
1087
- an owner:
1088
-
1089
- .. code-block:: ruby
1090
-
1091
- it { should be_executable.by('owner') }
1092
-
1093
- a user:
1094
-
1095
- .. code-block:: ruby
1096
-
1097
- it { should be_executable.by_user('user') }
1098
-
1099
- be_file
1100
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1101
- The ``be_file`` matcher tests if the file exists as a file. This can be useful with configuration files like ``/etc/passwd`` where there typically is not an associated file extension---``passwd.txt``:
1102
-
1103
- .. code-block:: ruby
1104
-
1105
- it { should be_file }
1106
-
1107
- be_grouped_into
1108
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1109
- The ``be_grouped_into`` matcher tests if the file exists as part of the named group:
1110
-
1111
- .. code-block:: ruby
1112
-
1113
- it { should be_grouped_into 'group' }
1114
-
1115
- be_immutable
1116
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1117
- The ``be_immutable`` matcher tests if the file is immutable, i.e. "cannot be changed":
1118
-
1119
- .. code-block:: ruby
1120
-
1121
- it { should be_immutable }
1122
-
1123
- be_linked_to
1124
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1125
- The ``be_linked_to`` matcher tests if the file is linked to the named target:
1126
-
1127
- .. code-block:: ruby
1128
-
1129
- it { should be_linked_to '/etc/target-file' }
1130
-
1131
- be_mounted
1132
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1133
- The ``be_mounted`` matcher tests if the file is accessible from the file system:
1134
-
1135
- .. code-block:: ruby
1136
-
1137
- it { should be_mounted }
1138
-
1139
- be_owned_by
1140
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1141
- The ``be_owned_by`` matcher tests if the file is owned by the named user, such as ``root``:
1142
-
1143
- .. code-block:: ruby
1144
-
1145
- it { should be_owned_by 'root' }
1146
-
1147
- be_pipe
1148
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1149
- The ``be_pipe`` matcher tests if the file exists as first-in, first-out special file (``.fifo``) that is typically used to define a named pipe, such as ``/var/log/nginx/access.log.fifo``:
1150
-
1151
- .. code-block:: ruby
1152
-
1153
- it { should be_pipe }
1154
-
1155
- be_readable
1156
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1157
- The ``be_readable`` matcher tests if the file is readable:
1158
-
1159
- .. code-block:: ruby
1160
-
1161
- it { should be_readable }
1162
-
1163
- The ``be_readable`` matcher may also test if the file is readable by a specific owner, group, or user. For example, a group:
1164
-
1165
- .. code-block:: ruby
1166
-
1167
- it { should be_readable.by('group') }
1168
-
1169
- an owner:
1170
-
1171
- .. code-block:: ruby
1172
-
1173
- it { should be_readable.by('owner') }
1174
-
1175
- a user:
1176
-
1177
- .. code-block:: ruby
1178
-
1179
- it { should be_readable.by_user('user') }
1180
-
1181
- be_socket
1182
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1183
- The ``be_socket`` matcher tests if the file exists as socket (``.sock``), such as ``/var/run/php-fpm.sock``:
1184
-
1185
- .. code-block:: ruby
1186
-
1187
- it { should be_socket }
1188
-
1189
- be_symlink
1190
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1191
- The ``be_symlink`` matcher tests if the file exists as a symbolic, or soft link that contains an absolute or relative path reference to another file:
1192
-
1193
- .. code-block:: ruby
1194
-
1195
- it { should be_symlink }
1196
-
1197
- be_version
1198
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1199
- The ``be_version`` matcher tests the version of the file:
1200
-
1201
- .. code-block:: ruby
1202
-
1203
- it { should be_version '1.2.3' }
1204
-
1205
- be_writable
1206
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1207
- The ``be_writable`` matcher tests if the file is writable:
1208
-
1209
- .. code-block:: ruby
1210
-
1211
- it { should be_writable }
1212
-
1213
- The ``be_writable`` matcher may also test if the file is writable by a specific owner, group, or user. For example, a group:
1214
-
1215
- .. code-block:: ruby
1216
-
1217
- it { should be_writable.by('group') }
1218
-
1219
- an owner:
1220
-
1221
- .. code-block:: ruby
1222
-
1223
- it { should be_writable.by('owner') }
1224
-
1225
- a user:
1226
-
1227
- .. code-block:: ruby
1228
-
1229
- it { should be_writable.by_user('user') }
1230
-
1231
- content
1232
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1233
- The ``content`` matcher tests if contents in the file match the value specified in the test. The values of the ``content`` matcher are arbitrary and depend on the file type being tested and also the type of information that is expected to be in that file:
1234
-
1235
- .. code-block:: ruby
1236
-
1237
- its('content') { should match REGEX }
1238
-
1239
- The following complete example tests the ``pg_hba.conf`` file in |postgresql| for |md5| requirements. The tests look at all ``host`` and ``local`` settings in that file, and then compare the |md5| checksums against the values in the test:
1240
-
1241
- .. code-block:: bash
1242
-
1243
- describe file(hba_config_file) do
1244
- its('content') { should match(%r{local\s.*?all\s.*?all\s.*?md5}) }
1245
- its('content') { should match(%r{host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5}) }
1246
- its('content') { should match(%r{host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5}) }
1247
- end
1248
-
1249
- exist
1250
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1251
- The ``exist`` matcher tests if the named file exists:
1252
-
1253
- .. code-block:: ruby
1254
-
1255
- it { should exist }
1256
-
1257
- file_version
1258
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1259
- The ``file_version`` matcher tests if the file's version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates:
1260
-
1261
- .. code-block:: ruby
1262
-
1263
- its('file_version') { should eq '1.2.3' }
1264
-
1265
- group
1266
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1267
- The ``group`` matcher tests if the group to which a file belongs matches the specified value:
1268
-
1269
- .. code-block:: ruby
1270
-
1271
- its('group') { should eq 'admins' }
1272
-
1273
- have_mode
1274
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1275
- The ``have_mode`` matcher tests if a file has a mode assigned to it:
1276
-
1277
- .. code-block:: ruby
1278
-
1279
- it { should have_mode }
1280
-
1281
- link_path
1282
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1283
- The ``link_path`` matcher tests if the file exists at the specified path:
1284
-
1285
- .. code-block:: ruby
1286
-
1287
- its('link_path') { should eq '/some/path/to/file' }
1288
-
1289
- link_target
1290
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1291
- The ``link_target`` matcher tests if a file that is linked to this file exists at the specified path:
1292
-
1293
- .. code-block:: ruby
1294
-
1295
- its('link_target') { should eq '/some/path/to/file' }
1296
-
1297
- md5sum
1298
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1299
- The ``md5sum`` matcher tests if the |md5| checksum for a file matches the specified value:
1300
-
1301
- .. code-block:: ruby
1302
-
1303
- its('md5sum') { should eq '3329x3hf9130gjs9jlasf2305mx91s4j' }
1304
-
1305
- mode
1306
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1307
- The ``mode`` matcher tests if the mode assigned to the file matches the specified value:
1308
-
1309
- .. code-block:: ruby
1310
-
1311
- its('mode') { should cmp '0644' }
1312
-
1313
- mtime
1314
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1315
- The ``mtime`` matcher tests if the file modification time for the file matches the specified value:
1316
-
1317
- .. code-block:: ruby
1318
-
1319
- its('mtime') { should eq 'October 31 2015 12:10:45' }
1320
-
1321
- or:
1322
-
1323
- .. code-block:: bash
1324
-
1325
- describe file('/').mtime.to_i do
1326
- it { should <= Time.now.to_i }
1327
- it { should >= Time.now.to_i - 1000}
1328
- end
1329
-
1330
- owner
1331
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1332
- The ``owner`` matcher tests if the owner of the file matches the specified value:
1333
-
1334
- .. code-block:: ruby
1335
-
1336
- its('owner') { should eq 'root' }
1337
-
1338
- product_version
1339
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1340
- The ``product_version`` matcher tests if the file's product version matches the specified value. The difference between a file's "file version" and "product version" is that the file version is the version number of the file itself, whereas the product version is the version number associated with the application from which that file originates:
1341
-
1342
- .. code-block:: ruby
1343
-
1344
- its('product_version') { should eq 2.3.4 }
1345
-
1346
- selinux_label
1347
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1348
- The ``selinux_label`` matcher tests if the |selinux| label for a file matches the specified value:
1349
-
1350
- .. code-block:: ruby
1351
-
1352
- its('selinux_label') { should eq 'system_u:system_r:httpd_t:s0' }
1353
-
1354
- sha256sum
1355
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1356
- The ``sha256sum`` matcher tests if the |sha256| checksum for a file matches the specified value:
1357
-
1358
- .. code-block:: ruby
1359
-
1360
- its('sha256sum') { should eq 'b837ch38lh19bb8eaopl8jvxwd2e4g58jn9lkho1w3ed9jbkeicalplaad9k0pjn' }
1361
-
1362
- size
1363
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1364
- The ``size`` matcher tests if a file's size matches, is greater than, or is less than the specified value. For example, equal:
1365
-
1366
- .. code-block:: ruby
1367
-
1368
- its('size') { should eq 32375 }
1369
-
1370
- Greater than:
1371
-
1372
- .. code-block:: ruby
1373
-
1374
- its('size') { should > 64 }
1375
-
1376
- Less than:
1377
-
1378
- .. code-block:: ruby
1379
-
1380
- its('size') { should < 10240 }
1381
-
1382
- type
1383
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1384
- The ``type`` matcher tests if the first letter of the file's mode string contains one of the following characters:
1385
-
1386
- * ``-`` or ``f`` (the file is a file); use ``'file`` to test for this file type
1387
- * ``d`` (the file is a directory); use ``'directory`` to test for this file type
1388
- * ``l`` (the file is a symbolic link); use ``'link`` to test for this file type
1389
- * ``p`` (the file is a named pipe); use ``'pipe`` to test for this file type
1390
- * ``s`` (the file is a socket); use ``'socket`` to test for this file type
1391
- * ``c`` (the file is a character device); use ``'character`` to test for this file type
1392
- * ``b`` (the file is a block device); use ``'block`` to test for this file type
1393
- * ``D`` (the file is a door); use ``'door`` to test for this file type
1394
-
1395
- For example:
1396
-
1397
- .. code-block:: ruby
1398
-
1399
- its('type') { should eq 'file' }
1400
-
1401
- or:
1402
-
1403
- .. code-block:: ruby
1404
-
1405
- its('type') { should eq 'socket' }
1406
-
1407
- Examples
1408
- -----------------------------------------------------
1409
- The following examples show how to use this InSpec audit resource.
1410
-
1411
- **Test the contents of a file for MD5 requirements**
1412
-
1413
- .. code-block:: bash
1414
-
1415
- describe file(hba_config_file) do
1416
- its('content') { should match /local\s.*?all\s.*?all\s.*?md5/ }
1417
- its('content') { should match %r{/host\s.*?all\s.*?all\s.*?127.0.0.1\/32\s.*?md5/} }
1418
- its('content') { should match %r{/host\s.*?all\s.*?all\s.*?::1\/128\s.*?md5/} }
1419
- end
1420
-
1421
- **Test if a file exists**
1422
-
1423
- .. code-block:: bash
1424
-
1425
- describe file('/tmp') do
1426
- it { should exist }
1427
- end
1428
-
1429
- **Test that a file does not exist**
1430
-
1431
- .. code-block:: bash
1432
-
1433
- describe file('/tmpest') do
1434
- it { should_not exist }
1435
- end
1436
-
1437
- **Test if a path is a directory**
1438
-
1439
- .. code-block:: bash
1440
-
1441
- describe file('/tmp') do
1442
- its('type') { should eq :directory }
1443
- it { should be_directory }
1444
- end
1445
-
1446
- **Test if a path is a file and not a directory**
1447
-
1448
- .. code-block:: bash
1449
-
1450
- describe file('/proc/version') do
1451
- its('type') { should eq 'file' }
1452
- it { should be_file }
1453
- it { should_not be_directory }
1454
- end
1455
-
1456
- **Test if a file is a symbolic link**
1457
-
1458
- .. code-block:: bash
1459
-
1460
- describe file('/dev/stdout') do
1461
- its('type') { should eq 'symlink' }
1462
- it { should be_symlink }
1463
- it { should_not be_file }
1464
- it { should_not be_directory }
1465
- end
1466
-
1467
- **Test if a file is a character device**
1468
-
1469
- .. code-block:: bash
1470
-
1471
- describe file('/dev/zero') do
1472
- its('type') { should eq 'character' }
1473
- it { should be_character_device }
1474
- it { should_not be_file }
1475
- it { should_not be_directory }
1476
- end
1477
-
1478
- **Test if a file is a block device**
1479
-
1480
- .. code-block:: bash
1481
-
1482
- describe file('/dev/zero') do
1483
- its('type') { should eq 'block' }
1484
- it { should be_character_device }
1485
- it { should_not be_file }
1486
- it { should_not be_directory }
1487
- end
1488
-
1489
- **Test the mode for a file**
1490
-
1491
- .. code-block:: bash
1492
-
1493
- describe file('/dev') do
1494
- its('mode') { should cmp '00755' }
1495
- end
1496
-
1497
- **Test the owner of a file**
1498
-
1499
- .. code-block:: bash
1500
-
1501
- describe file('/root') do
1502
- its('owner') { should eq 'root' }
1503
- end
1504
-
1505
- **Test if a file is owned by the root user**
1506
-
1507
- .. code-block:: bash
1508
-
1509
- describe file('/dev') do
1510
- it { should be_owned_by 'root' }
1511
- end
1512
-
1513
- **Test the mtime for a file**
1514
-
1515
- .. code-block:: bash
1516
-
1517
- describe file('/').mtime.to_i do
1518
- it { should <= Time.now.to_i }
1519
- it { should >= Time.now.to_i - 1000}
1520
- end
1521
-
1522
- **Test that a file's size is between 64 and 10240**
1523
-
1524
- .. code-block:: bash
1525
-
1526
- describe file('/') do
1527
- its('size') { should be > 64 }
1528
- its('size') { should be < 10240 }
1529
- end
1530
-
1531
- **Test that a file's size is zero**
1532
-
1533
- .. code-block:: bash
1534
-
1535
- describe file('/proc/cpuinfo') do
1536
- its('size') { should be 0 }
1537
- end
1538
-
1539
- **Test that a file is not mounted**
1540
-
1541
- .. code-block:: bash
1542
-
1543
- describe file('/proc/cpuinfo') do
1544
- it { should_not be_mounted }
1545
- end
1546
-
1547
- **Test an MD5 checksum**
1548
-
1549
- .. code-block:: bash
1550
-
1551
- require 'digest'
1552
- cpuinfo = file('/proc/cpuinfo').content
1553
- md5sum = Digest::MD5.hexdigest(cpuinfo)
1554
-
1555
- describe file('/proc/cpuinfo') do
1556
- its('md5sum') { should eq md5sum }
1557
- end
1558
-
1559
- **Test an SHA-256 checksum**
1560
-
1561
- .. code-block:: bash
1562
-
1563
- require 'digest'
1564
- cpuinfo = file('/proc/cpuinfo').content
1565
- sha256sum = Digest::SHA256.hexdigest(cpuinfo)
1566
-
1567
- describe file('/proc/cpuinfo') do
1568
- its('sha256sum') { should eq sha256sum }
1569
- end
1570
-
1571
-
1572
- gem
1573
- =====================================================
1574
- Use the ``gem`` |inspec resource| to test if a global |gem| package is installed.
1575
-
1576
- **Stability: Experimental**
1577
-
1578
- Syntax
1579
- -----------------------------------------------------
1580
- A ``gem`` |inspec resource| block declares a package and (optionally) a package version:
1581
-
1582
- .. code-block:: ruby
1583
-
1584
- describe gem('gem_package_name') do
1585
- it { should be_installed }
1586
- end
1587
-
1588
- where
1589
-
1590
- * ``('gem_package_name')`` must specify a |gem| package, such as ``'rubocop'``
1591
- * ``be_installed`` is a valid matcher for this |inspec resource|
1592
-
1593
- Matchers
1594
- -----------------------------------------------------
1595
- This InSpec audit resource has the following matchers.
1596
-
1597
- be_installed
1598
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1599
- The ``be_installed`` matcher tests if the named |gem| package is installed:
1600
-
1601
- .. code-block:: ruby
1602
-
1603
- it { should be_installed }
1604
-
1605
- version
1606
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1607
- The ``version`` matcher tests if the named package version is on the system:
1608
-
1609
- .. code-block:: ruby
1610
-
1611
- its('version') { should eq '0.33.0' }
1612
-
1613
- Examples
1614
- -----------------------------------------------------
1615
- The following examples show how to use this InSpec audit resource.
1616
-
1617
- **Verify that a gem package is installed, with a specific version**
1618
-
1619
- .. code-block:: ruby
1620
-
1621
- describe gem('rubocop') do
1622
- it { should be_installed }
1623
- its('version') { should eq '0.33.0' }
1624
- end
1625
-
1626
- **Verify that a gem package is not installed**
1627
-
1628
- .. code-block:: ruby
1629
-
1630
- describe gem('rubocop') do
1631
- it { should_not be_installed }
1632
- end
1633
-
1634
-
1635
- group
1636
- =====================================================
1637
- Use the ``group`` |inspec resource| to test groups on the system.
1638
-
1639
- Syntax
1640
- -----------------------------------------------------
1641
- A ``group`` |inspec resource| block declares a group, and then the details to be tested, such as if the group is a local group, the group identifier, or if the group exists:
1642
-
1643
- .. code-block:: ruby
1644
-
1645
- describe group('group_name') do
1646
- it { should exist }
1647
- its('gid') { should eq 0 }
1648
- end
1649
-
1650
- where
1651
-
1652
- * ``'group_name'`` must specify the name of a group on the system
1653
- * ``exist`` and ``'gid'`` are valid matchers for this |inspec resource|
1654
-
1655
- Matchers
1656
- -----------------------------------------------------
1657
- This InSpec audit resource has the following matchers.
1658
-
1659
- be_local
1660
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1661
- The ``be_local`` matcher tests if the group is a local group:
1662
-
1663
- .. code-block:: ruby
1664
-
1665
- it { should be_local }
1666
-
1667
- exist
1668
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1669
- The ``exist`` matcher tests if the named user exists:
1670
-
1671
- .. code-block:: ruby
1672
-
1673
- it { should exist }
1674
-
1675
- gid
1676
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1677
- The ``gid`` matcher tests the named group identifier:
1678
-
1679
- .. code-block:: ruby
1680
-
1681
- its('gid') { should eq 1234 }
1682
-
1683
- Examples
1684
- -----------------------------------------------------
1685
- The following examples show how to use this InSpec audit resource.
1686
-
1687
- **Test the group identifier for the root group**
1688
-
1689
- .. code-block:: ruby
1690
-
1691
- describe group('root') do
1692
- it { should exist }
1693
- its('gid') { should eq 0 }
1694
- end
1695
-
1696
-
1697
-
1698
-
1699
- grub_conf
1700
- =====================================================
1701
-
1702
- Test both Grub 1 and Grub 2 configurations.
1703
-
1704
- **Stability: Experimental**
1705
-
1706
- Syntax
1707
- -----------------------------------------------------
1708
- A ``grub_conf`` resource is used to specify a configuration file and boot configuration.
1709
-
1710
- .. code-block:: ruby
1711
-
1712
- describe grub_conf('/etc/grub.conf', 'default') do
1713
- its('kernel') { should include '/vmlinuz-2.6.32-573.7.1.el6.x86_64' }
1714
- its('initrd') { should include '/initramfs-2.6.32-573.el6.x86_64.img=1' }
1715
- its('default') { should_not eq '1' }
1716
- its('timeout') { should eq '5' }
1717
- end
1718
-
1719
- You can also check specific kernels:
1720
-
1721
- .. code-block:: ruby
1722
-
1723
- grub_conf('/etc/grub.conf', 'CentOS (2.6.32-573.12.1.el6.x86_64)') do
1724
- its('kernel') { should include 'audit=1' }
1725
- end
1726
-
1727
-
1728
-
1729
-
1730
- host
1731
- =====================================================
1732
- Use the ``host`` |inspec resource| to test the name used to refer to a specific host and its availability, including the Internet protocols and ports over which that host name should be available.
1733
-
1734
- **Stability: Stable**
1735
-
1736
- Syntax
1737
- -----------------------------------------------------
1738
- A ``host`` |inspec resource| block declares a host name, and then (depending on what is to be tested) a port and/or a protocol:
1739
-
1740
- .. code-block:: ruby
1741
-
1742
- describe host('example.com', port: 80, proto: 'tcp') do
1743
- it { should be_reachable }
1744
- end
1745
-
1746
- where
1747
-
1748
- * ``host()`` must specify a host name and may specify a port number and/or a protocol
1749
- * ``'example.com'`` is the host name
1750
- * ``port:`` is the port number
1751
- * ``proto: 'name'`` is the Internet protocol: |tcp| (``proto: 'tcp'``), |udp| (``proto: 'udp'`` or |icmp| (``proto: 'icmp'``))
1752
- * ``be_reachable`` is a valid matcher for this |inspec resource|
1753
-
1754
- Matchers
1755
- -----------------------------------------------------
1756
- This InSpec audit resource has the following matchers.
1757
-
1758
- be_reachable
1759
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1760
- The ``be_reachable`` matcher tests if the host name is available:
1761
-
1762
- .. code-block:: ruby
1763
-
1764
- it { should be_reachable }
1765
-
1766
- be_resolvable
1767
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1768
- The ``be_resolvable`` matcher tests for host name resolution, i.e. "resolvable to an IP address":
1769
-
1770
- .. code-block:: ruby
1771
-
1772
- it { should be_resolvable }
1773
-
1774
- ipaddress
1775
- -----------------------------------------------------
1776
- The ``ipaddress`` matcher tests if a host name is resolvable to a specific IP address:
1777
-
1778
- .. code-block:: ruby
1779
-
1780
- its('ipaddress') { should include '93.184.216.34' }
1781
-
1782
- Examples
1783
- -----------------------------------------------------
1784
- The following examples show how to use this InSpec audit resource.
1785
-
1786
- **Verify host name s reachable over a specific protocol and port number**
1787
-
1788
- .. code-block:: ruby
1789
-
1790
- describe host('example.com', port: 53, proto: 'udp') do
1791
- it { should be_reachable }
1792
- end
1793
-
1794
- **Verify that a specific IP address can be resolved**
1795
-
1796
- .. code-block:: ruby
1797
-
1798
- describe host('example.com', port: 80, proto: 'tcp') do
1799
- it { should be_resolvable }
1800
- its('ipaddress') { should include '192.168.1.1' }
1801
- end
1802
-
1803
-
1804
- iis_site
1805
- =====================================================
1806
- Tests the status, path, bindings, and application pool of an IIS website. Supported in windows 2012 and higher.
1807
-
1808
- **Stability: Experimental**
1809
-
1810
- Syntax
1811
- -----------------------------------------------------
1812
- An ``iis_site`` |inspec resource| block declares the IIS web site properties to be tested:
1813
-
1814
- .. code-block:: ruby
1815
- describe iis_site('website') do
1816
- it { should exist }
1817
- it { should be_running }
1818
- it { should have_app_pool('app_pool') }
1819
- it { should have_binding('https :443:www.contoso.com sslFlags=0') }
1820
- it { should have_path('C:\\inetpub\\wwwroot') }
1821
- end
1822
-
1823
- where
1824
-
1825
- * ``iis_site()`` must specify a web site name
1826
- * ``'website'`` is the web site name
1827
- * ``have_app_pool('my_app_pool')`` tests that our site belongs to the 'my_app_pool' application pool
1828
- * ``have_binding('my_binding')`` tests that our site has the specified binding. my_binding should be in the format of the default output from the Get-Website powershell cmdlet
1829
-
1830
- Matchers
1831
- -----------------------------------------------------
1832
- This InSpec audit resource has the following matchers.
1833
-
1834
- exist
1835
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1836
- The ``exist`` matcher tests if the website exists in IIS:
1837
-
1838
- .. code-block:: ruby
1839
-
1840
- it { should exist }
1841
-
1842
- be_running
1843
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1844
- The ``be_running`` matcher tests if the IIS site is running
1845
-
1846
- .. code-block:: ruby
1847
-
1848
- it { should be_running }
1849
-
1850
- have_app_pool
1851
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1852
- The ``have_app_pool`` matcher tests if the IIS site belongs in the specified application pool
1853
-
1854
- .. code-block:: ruby
1855
-
1856
- it { should have_app_pool('Default App Pool') }
1857
-
1858
- have_binding
1859
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1860
- The ``have_binding`` matcher tests if the IIS site has the specified binding
1861
-
1862
- .. code-block:: ruby
1863
-
1864
- it { should have_binding('http :80:*' ) }
1865
-
1866
- have_path
1867
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
1868
- The ``have_path`` matcher tests if the IIS site is located in the specified path
1869
-
1870
- .. code-block:: ruby
1871
-
1872
- it { should have_path('c:\\inetpub\\wwwroot\\my_site') }
1873
-
1874
-
1875
- Examples
1876
- -----------------------------------------------------
1877
- The following examples show how to use this InSpec audit resource.
1878
-
1879
- **Test if a web site 'My Site' is running and is located on disk at c:\\mysite**
1880
-
1881
- .. code-block:: ruby
1882
-
1883
- describe iis_site('My Site') do
1884
- it { should be_running }
1885
- it { should have_path('c:\\mysite') }
1886
- end
1887
-
1888
- **Test to see if 'Default Web Site' has been removed**
1889
-
1890
- .. code-block:: ruby
1891
-
1892
- describe iis_site('Default Web Site') do
1893
- it { should_not exist }
1894
- end
1895
-
1896
- **Test 'New Website' is running in Default App Pool and listening on port 80 via http**
1897
-
1898
- .. code-block:: ruby
1899
-
1900
- describe iis_site('New Website') do
1901
- it { should have_app_pool('app_pool') }
1902
- it { should have_binding('http :80:*') }
1903
- end
1904
-
1905
-
1906
-
1907
- inetd_conf
1908
- =====================================================
1909
- Use the ``inetd_conf`` |inspec resource| to test if a service is enabled in the ``inetd.conf`` file on |linux| and |unix| platforms. |inetd|---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The ``inetd.conf`` file is typically located at ``/etc/inetd.conf`` and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.
1910
-
1911
- **Stability: Experimental**
1912
-
1913
- Syntax
1914
- -----------------------------------------------------
1915
- An ``inetd_conf`` |inspec resource| block declares the list of services that are enabled in the ``inetd.conf`` file:
1916
-
1917
- .. code-block:: ruby
1918
-
1919
- describe inetd_conf('path') do
1920
- its('service_name') { should eq 'value' }
1921
- end
1922
-
1923
- where
1924
-
1925
- * ``'service_name'`` is a service listed in the ``inetd.conf`` file
1926
- * ``('path')`` is the non-default path to the ``inetd.conf`` file
1927
- * ``should eq 'value'`` is the value that is expected
1928
-
1929
- Matchers
1930
- -----------------------------------------------------
1931
- This |inspec resource| matches any service that is listed in the ``inetd.conf`` file. You may want to ensure that specific services do not listen via ``inetd.conf``:
1932
-
1933
- .. code-block:: ruby
1934
-
1935
- its('shell') { should eq nil }
1936
-
1937
- or:
1938
-
1939
- .. code-block:: ruby
1940
-
1941
- its('netstat') { should eq nil }
1942
-
1943
- or:
1944
-
1945
- .. code-block:: ruby
1946
-
1947
- its('systat') { should eq nil }
1948
-
1949
- For example:
1950
-
1951
- .. code-block:: ruby
1952
-
1953
- describe inetd_conf do
1954
- its('shell') { should eq nil }
1955
- its('login') { should eq nil }
1956
- its('exec') { should eq nil }
1957
- end
1958
-
1959
- Examples
1960
- -----------------------------------------------------
1961
- The following examples show how to use this InSpec audit resource.
1962
-
1963
- **Verify that FTP is disabled**
1964
-
1965
- The contents if the ``inetd.conf`` file contain the following:
1966
-
1967
- .. code-block:: text
1968
-
1969
- #ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
1970
- #telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
1971
-
1972
- and the following test is defined:
1973
-
1974
- .. code-block:: ruby
1975
-
1976
- describe inetd_conf do
1977
- its('ftp') { should eq nil }
1978
- its('telnet') { should eq nil }
1979
- end
1980
-
1981
- Because both the ``ftp`` and ``telnet`` Internet services are commented out (``#``), both services are disabled. Consequently, both tests will return ``true``. However, if the ``inetd.conf`` file is set as follows:
1982
-
1983
- .. code-block:: text
1984
-
1985
- ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
1986
- #telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
1987
-
1988
- then the same test will return ``false`` for ``ftp`` and the entire test will fail.
1989
-
1990
- **Test if telnet is installed**
1991
-
1992
- .. code-block:: ruby
1993
-
1994
- describe package('telnetd') do
1995
- it { should_not be_installed }
1996
- end
1997
-
1998
- describe inetd_conf do
1999
- its('telnet') { should eq nil }
2000
- end
2001
-
2002
-
2003
- ini
2004
- =====================================================
2005
- Use the ``ini`` |inspec resource| to test data in a INI file.
2006
-
2007
- **Stability: Stable**
2008
-
2009
- Syntax
2010
- -----------------------------------------------------
2011
- An ``ini`` |inspec resource| block declares the content of the ``ini`` file:
2012
-
2013
- .. code-block:: ruby
2014
-
2015
- describe ini('path/to/ini_file.ini') do
2016
- its('auth_protocol') { should eq 'https' }
2017
- end
2018
-
2019
- where
2020
-
2021
- * ``'auth_protocol'`` is a key in the ``ini`` file
2022
- * ``('https')`` is the expected value associated with the above key in the ``ini`` file
2023
-
2024
- Matchers
2025
- -----------------------------------------------------
2026
- This |inspec resource| matches any content in the ``ini`` file:
2027
-
2028
- .. code-block:: ruby
2029
-
2030
- its('port') { should eq '143' }
2031
-
2032
- Examples
2033
- -----------------------------------------------------
2034
- The following examples show how to use this InSpec audit resource.
2035
-
2036
- For example:
2037
-
2038
- .. code-block:: ruby
2039
-
2040
- describe ini('path/to/ini_file.ini') do
2041
- its('port') { should eq '143' }
2042
- its('server') { should eq '192.0.2.62' }
2043
- end
2044
-
2045
-
2046
- interface
2047
- =====================================================
2048
- Use the ``interface`` |inspec resource| to test basic network adapter properties, such as name, status, state, address, and link speed (in MB/sec).
2049
-
2050
- * On |linux| platforms, ``/sys/class/net/#{iface}`` is used as source
2051
- * On the |windows| platform, the ``Get-NetAdapter`` cmdlet is used as source
2052
-
2053
- **Stability: Stable**
2054
-
2055
- Syntax
2056
- -----------------------------------------------------
2057
- An ``interface`` |inspec resource| block declares network interface properties to be tested:
2058
-
2059
- .. code-block:: ruby
2060
-
2061
- describe interface do
2062
- it { should be_up }
2063
- its('speed') { should eq 1000 }
2064
- its('name') { should eq eth0 }
2065
- end
2066
-
2067
-
2068
- Matchers
2069
- -----------------------------------------------------
2070
- This InSpec audit resource has the following matchers.
2071
-
2072
- be_up
2073
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
2074
- The ``be_up`` matcher tests if the network interface is available:
2075
-
2076
- .. code-block:: ruby
2077
-
2078
- it { should be_up }
2079
-
2080
- name
2081
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
2082
- The ``name`` matcher tests if the named network interface exists:
2083
-
2084
- .. code-block:: ruby
2085
-
2086
- its('name') { should eq eth0 }
2087
-
2088
- speed
2089
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
2090
- The ``speed`` matcher tests the speed of the network interface, in MB/sec:
2091
-
2092
- .. code-block:: ruby
2093
-
2094
- its('speed') { should eq 1000 }
2095
-
2096
- ..
2097
- .. Examples
2098
- .. -----------------------------------------------------
2099
- .. The following examples show how to use this InSpec audit resource.
2100
- ..
2101
- .. **xxxxx**
2102
- ..
2103
- .. xxxxx
2104
- ..
2105
- .. **xxxxx**
2106
- ..
2107
- .. xxxxx
2108
- ..
2109
-
2110
-
2111
-
2112
- iptables
2113
- =====================================================
2114
- Use the ``iptables`` |inspec resource| to test rules that are defined in ``iptables``, which maintains tables of IP packet filtering rules. There may be more than one table. Each table contains one (or more) chains (both built-in and custom). A chain is a list of rules that match packets. When the rule matches, the rule defines what target to assign to the packet.
2115
-
2116
- **Stability: Experimental**
2117
-
2118
- Syntax
2119
- -----------------------------------------------------
2120
- A ``iptables`` |inspec resource| block declares tests for rules in IP tables:
2121
-
2122
- .. code-block:: ruby
2123
-
2124
- describe iptables(rule:'name', table:'name', chain: 'name') do
2125
- it { should have_rule('RULE') }
2126
- end
2127
-
2128
- where
2129
-
2130
- * ``iptables()`` may specify any combination of ``rule``, ``table``, or ``chain``
2131
- * ``rule:'name'`` is the name of a rule that matches a set of packets
2132
- * ``table:'name'`` is the packet matching table against which the test is run
2133
- * ``chain: 'name'`` is the name of a user-defined chain or one of ``ACCEPT``, ``DROP``, ``QUEUE``, or ``RETURN``
2134
- * ``have_rule('RULE')`` tests that rule in the iptables file
2135
-
2136
- Matchers
2137
- -----------------------------------------------------
2138
- This InSpec audit resource has the following matchers.
2139
-
2140
- have_rule
2141
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
2142
- The ``have_rule`` matcher tests the named rule against the information in the ``iptables`` file:
2143
-
2144
- .. code-block:: ruby
2145
-
2146
- it { should have_rule('RULE') }
2147
-
2148
- Examples
2149
- -----------------------------------------------------
2150
- The following examples show how to use this InSpec audit resource.
2151
-
2152
- **Test if the IP table allows a packet through**
2153
-
2154
- .. code-block:: ruby
2155
-
2156
- describe iptables do
2157
- it { should have_rule('-P INPUT ACCEPT') }
2158
- end
2159
-
2160
- **Test if the IP table allows a packet through, for a specific table and chain**
2161
-
2162
- .. code-block:: ruby
2163
-
2164
- describe iptables(table:'mangle', chain: 'input') do
2165
- it { should have_rule('-P INPUT ACCEPT') }
2166
- end
2167
-
2168
-
2169
-
2170
- json
2171
- =====================================================
2172
- Use the ``json`` |inspec resource| to test data in a |json| file.
2173
-
2174
- **Stability: Experimental**
2175
-
2176
- Syntax
2177
- -----------------------------------------------------
2178
- A ``json`` |inspec resource| block declares the data to be tested. Assume the following json file:
2179
-
2180
- .. code-block:: json
2181
-
2182
- {
2183
- "name" : "hello",
2184
- "meta" : {
2185
- "creator" : "John Doe"
2186
- },
2187
- "array": [
2188
- "zero",
2189
- "one"
2190
- ]
2191
- }
2192
-
2193
-
2194
- This file can be queried via:
2195
-
2196
- .. code-block:: ruby
2197
-
2198
- describe json('/path/to/name.json') do
2199
- its('name') { should eq 'hello' }
2200
- its(['meta','creator']) { should eq 'John Doe' }
2201
- its(['array', 1]) { should eq 'one' }
2202
- end
2203
-
2204
- where
2205
-
2206
- * ``name`` is a configuration setting in a |json| file
2207
- * ``should eq 'foo'`` tests a value of ``name`` as read from a |json| file versus the value declared in the test
2208
-
2209
- Matchers
2210
- -----------------------------------------------------
2211
- This InSpec audit resource has the following matchers.
2212
-
2213
- name
2214
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
2215
- The ``name`` matcher tests the value of ``name`` as read from a |json| file versus the value declared in the test:
2216
-
2217
- .. code-block:: ruby
2218
-
2219
- its('name') { should eq 'foo' }
2220
-
2221
- Examples
2222
- -----------------------------------------------------
2223
- The following examples show how to use this InSpec audit resource.
2224
-
2225
- **Test a cookbook version in a policyfile.lock.json file**
2226
-
2227
- .. code-block:: ruby
2228
-
2229
- describe json('policyfile.lock.json') do
2230
- its('cookbook_locks.omnibus.version') { should eq('2.2.0') }
2231
- end
2232
-
2233
-
2234
-
2235
- kernel_module
2236
- =====================================================
2237
- Use the ``kernel_module`` |inspec resource| to test kernel modules on |linux| platforms. These parameters are located under ``/lib/modules``. Any submodule may be tested using this resource.
2238
-
2239
- **Stability: Stable**
2240
-
2241
- Syntax
2242
- -----------------------------------------------------
2243
- A ``kernel_module`` |inspec resource| block declares a module name, and then tests if that module is a loadable kernel module:
2244
-
2245
- .. code-block:: ruby
2246
-
2247
- describe kernel_module('module_name') do
2248
- it { should be_loaded }
2249
- end
2250
-
2251
- where
2252
-
2253
- * ``'module_name'`` must specify a kernel module, such as ``'bridge'``
2254
- * ``{ should be_loaded }`` tests if the module is a loadable kernel module
2255
-
2256
- Matchers
2257
- -----------------------------------------------------
2258
- This InSpec audit resource has the following matchers.
2259
-
2260
- be_loaded
2261
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
2262
- The ``be_loaded`` matcher tests if the module is a loadable kernel module:
2263
-
2264
- .. code-block:: ruby
2265
-
2266
- it { should be_loaded }
2267
-
2268
- Examples
2269
- -----------------------------------------------------
2270
- The following examples show how to use this InSpec audit resource.
2271
-
2272
- **Test if a module is loaded**
2273
-
2274
- .. code-block:: ruby
2275
-
2276
- describe kernel_module('bridge') do
2277
- it { should be_loaded }
2278
- end
2279
-
2280
-
2281
- kernel_parameter
2282
- =====================================================
2283
- Use the ``kernel_parameter`` |inspec resource| to test kernel parameters on |linux| platforms.
2284
-
2285
- **Stability: Stable**
2286
-
2287
- Syntax
2288
- -----------------------------------------------------
2289
- A ``kernel_parameter`` |inspec resource| block declares a parameter and then a value to be tested:
2290
-
2291
- .. code-block:: ruby
2292
-
2293
- describe kernel_parameter('path.to.parameter') do
2294
- its('value') { should eq 0 }
2295
- end
2296
-
2297
- where
2298
-
2299
- * ``'kernel.parameter'`` must specify a kernel parameter, such as ``'net.ipv4.conf.all.forwarding'``
2300
- * ``{ should eq 0 }`` states the value to be tested
2301
-
2302
- Matchers
2303
- -----------------------------------------------------
2304
- This InSpec audit resource has the following matchers.
2305
-
2306
- value
2307
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
2308
- The ``value`` matcher tests the value assigned to the named IP address versus the value declared in the test:
2309
-
2310
- .. code-block:: ruby
2311
-
2312
- its('value') { should eq 0 }
2313
-
2314
- Examples
2315
- -----------------------------------------------------
2316
- The following examples show how to use this InSpec audit resource.
2317
-
2318
- **Test if global forwarding is enabled for an IPv4 address**
2319
-
2320
- .. code-block:: ruby
2321
-
2322
- describe kernel_parameter('net.ipv4.conf.all.forwarding') do
2323
- its('value') { should eq 1 }
2324
- end
2325
-
2326
- **Test if global forwarding is disabled for an IPv6 address**
2327
-
2328
- .. code-block:: ruby
2329
-
2330
- describe kernel_parameter('net.ipv6.conf.all.forwarding') do
2331
- its('value') { should eq 0 }
2332
- end
2333
-
2334
- **Test if an IPv6 address accepts redirects**
2335
-
2336
- .. code-block:: ruby
2337
-
2338
- describe kernel_parameter('net.ipv6.conf.interface.accept_redirects') do
2339
- its('value') { should eq 'true' }
2340
- end
2341
-
2342
-
2343
- limits_conf
2344
- =====================================================
2345
- Use the ``limits_conf`` |inspec resource| to test configuration settings in the ``/etc/security/limits.conf`` file. The ``limits.conf`` defines limits for processes (by user and/or group names) and helps ensure that the system on which those processes are running remains stable. Each process may be assigned a hard or soft limit.
2346
-
2347
- * Soft limits are maintained by the shell and defines the number of file handles (or open files) available to the user or group after login
2348
- * Hard limits are maintained by the kernel and defines the maximum number of allowed file handles
2349
-
2350
- Entries in the ``limits.conf`` file are similar to:
2351
-
2352
- .. code-block:: bash
2353
-
2354
- grantmc soft nofile 4096
2355
- grantmc hard nofile 63536
2356
-
2357
- ^^^^^^^^^ ^^^^ ^^^^^^ ^^^^^
2358
- domain type item value
2359
-
2360
- **Stability: Experimental**
2361
-
2362
- Syntax
2363
- -----------------------------------------------------
2364
- A ``limits_conf`` |inspec resource| block declares a domain to be tested, along with associated type, item, and value:
2365
-
2366
- .. code-block:: ruby
2367
-
2368
- describe limits_conf('path') do
2369
- its('domain') { should include ['type', 'item', 'value'] }
2370
- its('domain') { should eq ['type', 'item', 'value'] }
2371
- end
2372
-
2373
- where
2374
-
2375
- * ``('path')`` is the non-default path to the ``inetd.conf`` file
2376
- * ``'domain'`` is a user or group name, such as ``grantmc``
2377
- * ``'type'`` is either ``hard`` or ``soft``
2378
- * ``'item'`` is the item for which limits are defined, such as ``core``, ``nofile``, ``stack``, ``nproc``, ``priority``, or ``maxlogins``
2379
- * ``'value'`` is the value associated with the ``item``
2380
-
2381
- Matchers
2382
- -----------------------------------------------------
2383
- This InSpec audit resource has the following matchers.
2384
-
2385
- domain
2386
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
2387
- The ``domain`` matcher tests the domain in the ``limits.conf`` file, along with associated type, item, and value:
2388
-
2389
- .. code-block:: ruby
2390
-
2391
- its('domain') { should include ['type', 'item', 'value'] }
2392
-
2393
- For example:
2394
-
2395
- .. code-block:: ruby
2396
-
2397
- its('grantmc') { should include ['hard', 'nofile', '63536'] }
2398
-
2399
- Examples
2400
- -----------------------------------------------------
2401
- The following examples show how to use this InSpec audit resource.
2402
-
2403
- **Test * and ftp limits**
2404
-
2405
- .. code-block:: ruby
2406
-
2407
- describe limits_conf('path') do
2408
- its('*') { should include ['soft', 'core', '0'] }
2409
- its('*') { should include ['hard', 'rss', '10000'] }
2410
- its('ftp') { should eq ['hard', 'nproc', '0'] }
2411
- end
2412
-
2413
- login_defs
2414
- =====================================================
2415
- Use the ``login_defs`` |inspec resource| to test configuration settings in the ``/etc/login.defs`` file. The ``logins.defs`` file defines site-specific configuration for the shadow password suite on |linux| and |unix| platforms, such as password expiration ranges, minimum/maximum values for automatic selection of user and group identifiers, or the method with which passwords are encrypted.
2416
-
2417
- **Stability: Experimental**
2418
-
2419
- Syntax
2420
- -----------------------------------------------------
2421
- A ``login_defs`` |inspec resource| block declares the ``login.defs`` configuration data to be tested:
2422
-
2423
- .. code-block:: ruby
2424
-
2425
- describe login_defs do
2426
- its('name') { should include('foo') }
2427
- end
2428
-
2429
- where
2430
-
2431
- * ``name`` is a configuration setting in ``login.defs``
2432
- * ``{ should include('foo') }`` tests the value of ``name`` as read from ``login.defs`` versus the value declared in the test
2433
-
2434
- Matchers
2435
- -----------------------------------------------------
2436
- This InSpec audit resource has the following matchers.
2437
-
2438
- name
2439
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
2440
- The ``name`` matcher tests the value of ``name`` as read from ``login.defs`` versus the value declared in the test:
2441
-
2442
- .. code-block:: ruby
2443
-
2444
- its('name') { should eq 'foo' }
2445
-
2446
- Examples
2447
- -----------------------------------------------------
2448
- The following examples show how to use this InSpec audit resource.
2449
-
2450
- **Test password expiration settings**
2451
-
2452
- .. code-block:: ruby
2453
-
2454
- describe login_defs do
2455
- its('PASS_MAX_DAYS') { should eq '180' }
2456
- its('PASS_MIN_DAYS') { should eq '1' }
2457
- its('PASS_MIN_LEN') { should eq '15' }
2458
- its('PASS_WARN_AGE') { should eq '30' }
2459
- end
2460
-
2461
- **Test the encryption method**
2462
-
2463
- .. code-block:: ruby
2464
-
2465
- describe login_defs do
2466
- its('ENCRYPT_METHOD') { should eq 'SHA512' }
2467
- end
2468
-
2469
- **Test umask and password expiration**
2470
-
2471
- .. code-block:: ruby
2472
-
2473
- describe login_def do
2474
- its('UMASK') { should eq '077' }
2475
- its('PASS_MAX_DAYS') { should eq '90' }
2476
- end
2477
-
2478
-
2479
- mount
2480
- =====================================================
2481
- Use the ``mount`` |inspec resource| to test the mountpoints on |linux| systems.
2482
-
2483
- **Stability: Experimental**
2484
-
2485
- Syntax
2486
- -----------------------------------------------------
2487
- An ``mount`` |inspec resource| block declares the synchronization settings that should be tested:
2488
-
2489
- .. code-block:: ruby
2490
-
2491
- describe mount('path') do
2492
- it { should MATCHER 'value' }
2493
- end
2494
-
2495
- where
2496
-
2497
- * ``('path')`` is the path to the mounted directory
2498
- * ``MATCHER`` is a valid matcher for this |inspec resource|
2499
- * ``'value'`` is the value to be tested
2500
-
2501
- Matchers
2502
- -----------------------------------------------------
2503
- This |inspec resource| has the following matchers:
2504
-
2505
- be_mounted
2506
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
2507
- The ``be_mounted`` matcher tests if the file is accessible from the file system:
2508
-
2509
- .. code-block:: ruby
2510
-
2511
- it { should be_mounted }
2512
-
2513
- device
2514
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
2515
- The ``device`` matcher tests the device from the fstab table:
2516
-
2517
- .. code-block:: ruby
2518
-
2519
- its('device') { should eq '/dev/mapper/VolGroup-lv_root' }
2520
-
2521
- type
2522
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
2523
- The ``type`` matcher tests the filesystem type:
2524
-
2525
- .. code-block:: ruby
2526
-
2527
- its('type') { should eq 'ext4' }
2528
-
2529
-
2530
- options
2531
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
2532
- The ``options`` matcher tests the mount options for the filesystem from the fstab table:
2533
-
2534
- .. code-block:: ruby
2535
-
2536
- its('options') { should eq ['rw', 'mode=620'] }
2537
-
2538
-
2539
- Examples
2540
- -----------------------------------------------------
2541
- The following examples show how to use this InSpec audit resource.
2542
-
2543
- **Test a the mount point on '/'**
2544
-
2545
- .. code-block:: ruby
2546
-
2547
- describe mount('/') do
2548
- it { should be_mounted }
2549
- its('device') { should eq '/dev/mapper/VolGroup-lv_root' }
2550
- its('type') { should eq 'ext4' }
2551
- its('options') { should eq ['rw', 'mode=620'] }
2552
- end
2553
-
2554
-
2555
-
2556
- mysql_conf
2557
- =====================================================
2558
- Use the ``mysql_conf`` |inspec resource| to test the contents of the configuration file for |mysql|, typically located at ``/etc/mysql/my.cnf`` or ``/etc/my.cnf``.
2559
-
2560
- Syntax
2561
- -----------------------------------------------------
2562
- A ``mysql_conf`` |inspec resource| block declares one (or more) settings in the ``my.cnf`` file, and then compares the setting in the configuration file to the value stated in the test:
2563
-
2564
- .. code-block:: ruby
2565
-
2566
- describe mysql_conf('path') do
2567
- its('setting') { should eq 'value' }
2568
- end
2569
-
2570
- where
2571
-
2572
- * ``'setting'`` specifies a setting in the ``my.cnf`` file, such as ``max_connections``
2573
- * ``('path')`` is the non-default path to the ``my.cnf`` file
2574
- * ``should eq 'value'`` is the value that is expected
2575
-
2576
- **Stability: Experimental**
2577
-
2578
- Matchers
2579
- -----------------------------------------------------
2580
- This InSpec audit resource has the following matchers.
2581
-
2582
- setting
2583
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
2584
- The ``setting`` matcher tests specific, named settings in the ``my.cnf`` file:
2585
-
2586
- .. code-block:: ruby
2587
-
2588
- its('setting') { should eq 'value' }
2589
-
2590
- Use a ``setting`` matcher for each setting to be tested.
2591
-
2592
- Examples
2593
- -----------------------------------------------------
2594
- The following examples show how to use this InSpec audit resource.
2595
-
2596
- **Test the maximum number of allowed connections**
2597
-
2598
- .. code-block:: ruby
2599
-
2600
- describe mysql_conf do
2601
- its('max_connections') { should eq '505' }
2602
- its('max_user_connections') { should eq '500' }
2603
- end
2604
-
2605
- **Test slow query logging**
2606
-
2607
- .. code-block:: ruby
2608
-
2609
- describe mysql_conf do
2610
- its('slow_query_log_file') { should eq 'hostname_slow.log' }
2611
- its('slow_query_log') { should eq '0' }
2612
- its('log_queries_not_using_indexes') { should eq '1' }
2613
- its('long_query_time') { should eq '0.5' }
2614
- its('min_examined_row_limit') { should eq '100' }
2615
- end
2616
-
2617
- **Test the port and socket on which MySQL listens**
2618
-
2619
- .. code-block:: ruby
2620
-
2621
- describe mysql_conf do
2622
- its('port') { should eq '3306' }
2623
- its('socket') { should eq '/var/run/mysqld/mysql.sock' }
2624
- end
2625
-
2626
- **Test connection and thread variables**
2627
-
2628
- .. code-block:: ruby
2629
-
2630
- describe mysql_conf do
2631
- its('port') { should eq '3306' }
2632
- its('socket') { should eq '/var/run/mysqld/mysql.sock' }
2633
- its('max_allowed_packet') { should eq '12M' }
2634
- its('default_storage_engine') { should eq 'InnoDB' }
2635
- its('character_set_server') { should eq 'utf8' }
2636
- its('collation_server') { should eq 'utf8_general_ci' }
2637
- its('max_connections') { should eq '505' }
2638
- its('max_user_connections') { should eq '500' }
2639
- its('thread_cache_size') { should eq '505' }
2640
- end
2641
-
2642
- **Test the safe-user-create parameter**
2643
-
2644
- .. code-block:: ruby
2645
-
2646
- describe mysql_conf.params('mysqld') do
2647
- its('safe-user-create') { should eq('1') }
2648
- end
2649
-
2650
-
2651
- mysql_session
2652
- =====================================================
2653
- Use the ``mysql_session`` |inspec resource| to test SQL commands run against a |mysql| database.
2654
-
2655
- **Stability: Experimental**
2656
-
2657
- Syntax
2658
- -----------------------------------------------------
2659
- A ``mysql_session`` |inspec resource| block declares the username and password to use for the session, and then the command to be run:
2660
-
2661
- .. code-block:: ruby
2662
-
2663
- describe mysql_session('username', 'password').query('QUERY') do
2664
- its('output') { should eq('') }
2665
- end
2666
-
2667
- where
2668
-
2669
- * ``mysql_session`` declares a username and password with permission to run the query
2670
- * ``query('QUERY')`` contains the query to be run
2671
- * ``its('output') { should eq('') }`` compares the results of the query against the expected result in the test
2672
-
2673
- Matchers
2674
- -----------------------------------------------------
2675
- This InSpec audit resource has the following matchers.
2676
-
2677
- output
2678
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
2679
- The ``output`` matcher tests the results of the query:
2680
-
2681
- .. code-block:: ruby
2682
-
2683
- its('output') { should eq(/^0/) }
2684
-
2685
- Examples
2686
- -----------------------------------------------------
2687
- The following examples show how to use this InSpec audit resource.
2688
-
2689
- **Test for matching databases**
2690
-
2691
- .. code-block:: ruby
2692
-
2693
- sql = mysql_session('my_user','password')
2694
- describe sql.query('show databases like \'test\';') do
2695
- its('stdout') { should_not match(/test/) }
2696
- end
2697
-
2698
-
2699
-
2700
-
2701
- npm
2702
- =====================================================
2703
- Use the ``npm`` |inspec resource| to test if a global |npm| package is installed. |npm| is the `the package manager for Nodejs packages <https://docs.npmjs.com>`__, such as |bower| and |statsd|.
2704
-
2705
- **Stability: Experimental**
2706
-
2707
- Syntax
2708
- -----------------------------------------------------
2709
- A ``npm`` |inspec resource| block declares a package and (optionally) a package version:
2710
-
2711
- .. code-block:: ruby
2712
-
2713
- describe gem('npm_package_name') do
2714
- it { should be_installed }
2715
- end
2716
-
2717
- where
2718
-
2719
- * ``('npm_package_name')`` must specify a |npm| package, such as ``'bower'`` or ``'statsd'``
2720
- * ``be_installed`` is a valid matcher for this |inspec resource|
2721
-
2722
- Matchers
2723
- -----------------------------------------------------
2724
- This InSpec audit resource has the following matchers.
2725
-
2726
- be_installed
2727
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
2728
- The ``be_installed`` matcher tests if the named |gem| package and package version (if specified) is installed:
2729
-
2730
- .. code-block:: ruby
2731
-
2732
- it { should be_installed }
2733
-
2734
- version
2735
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
2736
- The ``version`` matcher tests if the named package version is on the system:
2737
-
2738
- .. code-block:: ruby
2739
-
2740
- its('version') { should eq '1.2.3' }
2741
-
2742
- Examples
2743
- -----------------------------------------------------
2744
- The following examples show how to use this InSpec audit resource.
2745
-
2746
- **Verify that bower is installed, with a specific version**
2747
-
2748
- .. code-block:: ruby
2749
-
2750
- describe npm('bower') do
2751
- it { should be_installed }
2752
- its('version') { should eq '1.4.1' }
2753
- end
2754
-
2755
- **Verify that statsd is not installed**
2756
-
2757
- .. code-block:: ruby
2758
-
2759
- describe npm('statsd') do
2760
- it { should_not be_installed }
2761
- end
2762
-
2763
-
2764
- ntp_conf
2765
- =====================================================
2766
- Use the ``ntp_conf`` |inspec resource| to test the synchronization settings defined in the ``ntp.conf`` file. This file is typically located at ``/etc/ntp.conf``.
2767
-
2768
- **Stability: Experimental**
2769
-
2770
- Syntax
2771
- -----------------------------------------------------
2772
- An ``ntp_conf`` |inspec resource| block declares the synchronization settings that should be tested:
2773
-
2774
- .. code-block:: ruby
2775
-
2776
- describe ntp_conf('path') do
2777
- its('setting_name') { should eq 'value' }
2778
- end
2779
-
2780
- where
2781
-
2782
- * ``'setting_name'`` is a synchronization setting defined in the ``ntp.conf`` file
2783
- * ``('path')`` is the non-default path to the ``ntp.conf`` file
2784
- * ``{ should eq 'value' }`` is the value that is expected
2785
-
2786
- Matchers
2787
- -----------------------------------------------------
2788
- This |inspec resource| matches any service that is listed in the ``ntp.conf`` file:
2789
-
2790
- .. code-block:: ruby
2791
-
2792
- its('server') { should_not eq nil }
2793
-
2794
- or:
2795
-
2796
- .. code-block:: ruby
2797
-
2798
- its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery'}
2799
-
2800
- For example:
2801
-
2802
- .. code-block:: ruby
2803
-
2804
- describe ntp_conf do
2805
- its('server') { should_not eq nil }
2806
- its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery'}
2807
- end
2808
-
2809
- Examples
2810
- -----------------------------------------------------
2811
- The following examples show how to use this InSpec audit resource.
2812
-
2813
- **Test for clock drift against named servers**
2814
-
2815
- .. code-block:: ruby
2816
-
2817
- describe ntp_conf do
2818
- its('driftfile') { should eq '/var/lib/ntp/ntp.drift' }
2819
- its('server') { should eq [
2820
- 0.ubuntu.pool.ntp.org,
2821
- 1.ubuntu.pool.ntp.org,
2822
- 2.ubuntu.pool.ntp.org
2823
- ] }
2824
- end
2825
-
2826
-
2827
-
2828
- oneget
2829
- =====================================================
2830
- Use the ``oneget`` |inspec resource| to test if the named package and/or package version is installed on the system. This resource uses |oneget|, which is `part of the Windows Management Framework 5.0 and Windows 10 <https://github.com/OneGet/oneget>`__. This resource uses the ``Get-Package`` cmdlet to return all of the package names in the |oneget| repository.
2831
-
2832
- **Stability: Experimental**
2833
-
2834
- Syntax
2835
- -----------------------------------------------------
2836
- A ``oneget`` |inspec resource| block declares a package and (optionally) a package version:
2837
-
2838
- .. code-block:: ruby
2839
-
2840
- describe oneget('name') do
2841
- it { should be_installed }
2842
- end
2843
-
2844
- where
2845
-
2846
- * ``('name')`` must specify the name of a package, such as ``'VLC'``
2847
- * ``be_installed`` is a valid matcher for this |inspec resource|
2848
-
2849
- Matchers
2850
- -----------------------------------------------------
2851
- This InSpec audit resource has the following matchers.
2852
-
2853
- be_installed
2854
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
2855
- The ``be_installed`` matcher tests if the named package is installed on the system:
2856
-
2857
- .. code-block:: ruby
2858
-
2859
- it { should be_installed }
2860
-
2861
- version
2862
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
2863
- The ``version`` matcher tests if the named package version is on the system:
2864
-
2865
- .. code-block:: ruby
2866
-
2867
- its('version') { should eq '1.2.3' }
2868
-
2869
- Examples
2870
- -----------------------------------------------------
2871
- The following examples show how to use this InSpec audit resource.
2872
-
2873
- **Test if VLC is installed**
2874
-
2875
- .. code-block:: ruby
2876
-
2877
- describe oneget('VLC') do
2878
- it { should be_installed }
2879
- end
2880
-
2881
-
2882
- os
2883
- =====================================================
2884
- Use the ``os`` |inspec resource| to test the platform on which the system is running.
2885
-
2886
- **Stability: Stable**
2887
-
2888
- Syntax
2889
- -----------------------------------------------------
2890
- A ``os`` |inspec resource| block declares the platform to be tested:
2891
-
2892
- .. code-block:: ruby
2893
-
2894
- describe os[:family] do
2895
- it { should eq 'platform' }
2896
- end
2897
-
2898
- where
2899
-
2900
- * ``'family'`` is one of ``aix``, ``bsd``, ``debian``, ``hpux``, ``linux``, ``redhat``, ``solaris``, ``suse``, ``unix``, or ``windows``
2901
-
2902
-
2903
- Matchers
2904
- -----------------------------------------------------
2905
- This InSpec audit resource does not have any matchers.
2906
-
2907
- Examples
2908
- -----------------------------------------------------
2909
- The following examples show how to use this InSpec audit resource.
2910
-
2911
- **Test for RedHat**
2912
-
2913
- .. code-block:: ruby
2914
-
2915
- describe os[:family] do
2916
- it { should eq 'redhat' }
2917
- end
2918
-
2919
- **Test for Ubuntu**
2920
-
2921
- .. code-block:: ruby
2922
-
2923
- describe os[:family] do
2924
- it { should eq 'debian' }
2925
- end
2926
-
2927
- **Test for Microsoft Windows**
2928
-
2929
- .. code-block:: ruby
2930
-
2931
- describe os[:family] do
2932
- it { should eq 'windows' }
2933
- end
2934
-
2935
-
2936
- os_env
2937
- =====================================================
2938
- Use the ``os_env`` |inspec resource| to test the environment variables for the platform on which the system is running.
2939
-
2940
- **Stability: Experimental**
2941
-
2942
- Syntax
2943
- -----------------------------------------------------
2944
- A ``os_env`` |inspec resource| block declares an environment variable, and then declares its value:
2945
-
2946
- .. code-block:: ruby
2947
-
2948
- describe os_env('VARIABLE') do
2949
- its('matcher') { should eq 1 }
2950
- end
2951
-
2952
- where
2953
-
2954
- * ``('VARIABLE')`` must specify an environment variable, such as ``PATH``
2955
- * ``matcher`` is a valid matcher for this InSpec resource
2956
-
2957
- Matchers
2958
- -----------------------------------------------------
2959
- This InSpec audit resource has the following matchers.
2960
-
2961
- content
2962
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
2963
- The ``content`` matcher return the value of the environment variable:
2964
-
2965
- .. code-block:: ruby
2966
-
2967
- its('content') { should eq '/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin' }
2968
-
2969
- split
2970
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
2971
- The ``split`` splits the content with the ``:``` deliminator:
2972
-
2973
- .. code-block:: ruby
2974
-
2975
- its('split') { should include ('') }
2976
-
2977
- or:
2978
-
2979
- .. code-block:: ruby
2980
-
2981
- its('split') { should_not include ('.') }
2982
-
2983
- Use ``-1`` to test for cases where there is a trailing colon (``:``), such as ``dir1::dir2:``:
2984
-
2985
- .. code-block:: ruby
2986
-
2987
- its('split') { should include ('-1') }
2988
-
2989
-
2990
- Examples
2991
- -----------------------------------------------------
2992
- The following examples show how to use this InSpec audit resource.
2993
-
2994
- **Test the PATH environment variable**
2995
-
2996
- .. code-block:: ruby
2997
-
2998
- describe os_env('PATH') do
2999
- its('split') { should_not include('') }
3000
- its('split') { should_not include('.') }
3001
- end
3002
-
3003
-
3004
- package
3005
- =====================================================
3006
- Use the ``package`` |inspec resource| to test if the named package and/or package version is installed on the system.
3007
-
3008
- **Stability: Stable**
3009
-
3010
- Syntax
3011
- -----------------------------------------------------
3012
- A ``package`` |inspec resource| block declares a package and (optionally) a package version:
3013
-
3014
- .. code-block:: ruby
3015
-
3016
- describe package('name') do
3017
- it { should be_installed }
3018
- end
3019
-
3020
- where
3021
-
3022
- * ``('name')`` must specify the name of a package, such as ``'nginx'``
3023
- * ``be_installed`` is a valid matcher for this |inspec resource|
3024
-
3025
- Matchers
3026
- -----------------------------------------------------
3027
- This InSpec audit resource has the following matchers.
3028
-
3029
- be_installed
3030
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3031
- The ``be_installed`` matcher tests if the named package is installed on the system:
3032
-
3033
- .. code-block:: ruby
3034
-
3035
- it { should be_installed }
3036
-
3037
- version
3038
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3039
- The ``version`` matcher tests if the named package version is on the system:
3040
-
3041
- .. code-block:: ruby
3042
-
3043
- its('version') { should eq '1.2.3' }
3044
-
3045
- Examples
3046
- -----------------------------------------------------
3047
- The following examples show how to use this InSpec audit resource.
3048
-
3049
- **Test if nginx version 1.9.5 is installed**
3050
-
3051
- .. code-block:: ruby
3052
-
3053
- describe package('nginx') do
3054
- it { should be_installed }
3055
- its('version') { should eq 1.9.5 }
3056
- end
3057
-
3058
- **Test that a package is not installed**
3059
-
3060
- .. code-block:: ruby
3061
-
3062
- describe package('some_package') do
3063
- it { should_not be_installed }
3064
- end
3065
-
3066
- **Test if telnet is installed**
3067
-
3068
- .. code-block:: ruby
3069
-
3070
- describe package('telnetd') do
3071
- it { should_not be_installed }
3072
- end
3073
-
3074
- describe inetd_conf do
3075
- its('telnet') { should eq nil }
3076
- end
3077
-
3078
- **Test if ClamAV (an antivirus engine) is installed and running**
3079
-
3080
- .. code-block:: ruby
3081
-
3082
- describe package('clamav') do
3083
- it { should be_installed }
3084
- its('version') { should eq '0.98.7' }
3085
- end
3086
-
3087
- describe service('clamd') do
3088
- it { should_not be_enabled }
3089
- it { should_not be_installed }
3090
- it { should_not be_running }
3091
- end
3092
-
3093
-
3094
- parse_config
3095
- =====================================================
3096
- Use the ``parse_config`` |inspec resource| to test arbitrary configuration files.
3097
-
3098
- **Stability: Experimental**
3099
-
3100
- Syntax
3101
- -----------------------------------------------------
3102
- A ``parse_config`` |inspec resource| block declares the location of the configuration setting to be tested, and then what value is to be tested. Because this |inspec resource| relies on arbitrary configuration files, the test itself is often arbitrary and relies on custom |ruby| code:
3103
-
3104
- .. code-block:: ruby
3105
-
3106
- output = command('some-command').stdout
3107
-
3108
- describe parse_config(output, { data_config_option: value } ) do
3109
- its('setting') { should eq 1 }
3110
- end
3111
-
3112
- or:
3113
-
3114
- .. code-block:: ruby
3115
-
3116
- audit = command('/sbin/auditctl -l').stdout
3117
- options = {
3118
- assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
3119
- multiple_values: true
3120
- }
3121
-
3122
- describe parse_config(audit, options) do
3123
- its('setting') { should eq 1 }
3124
- end
3125
-
3126
- where each test
3127
-
3128
- * Must declare the location of the configuration file to be tested
3129
- * Must declare one (or more) settings to be tested
3130
- * May run a command to ``stdout``, and then run the test against that output
3131
- * May use options to define how configuration data is to be parsed
3132
-
3133
- Options
3134
- -----------------------------------------------------
3135
- This |inspec resource| supports the following options for parsing configuration data. Use them in an ``options`` block stated outside of (and immediately before) the actual test:
3136
-
3137
- .. code-block:: ruby
3138
-
3139
- options = {
3140
- assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
3141
- multiple_values: true
3142
- }
3143
- describe parse_config(options) do
3144
- its('setting') { should eq 1 }
3145
- end
3146
-
3147
- assignment_re
3148
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3149
- Use ``assignment_re`` to test a key value using a regular expression:
3150
-
3151
- .. code-block:: ruby
3152
-
3153
- 'key = value'
3154
-
3155
- may be tested using the following regular expression, which determines assignment from key to value:
3156
-
3157
- .. code-block:: ruby
3158
-
3159
- assignment_re: /^\s*([^=]*?)\s*=\s*(.*?)\s*$/
3160
-
3161
- comment_char
3162
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3163
- Use ``comment_char`` to test for comments in a configuration file:
3164
-
3165
- .. code-block:: ruby
3166
-
3167
- comment_char: '#'
3168
-
3169
- key_vals
3170
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3171
- Use ``key_vals`` to test how many values a key contains:
3172
-
3173
- .. code-block:: ruby
3174
-
3175
- key = a b c
3176
-
3177
- contains three values. To test that value to ensure it only contains one, use:
3178
-
3179
- .. code-block:: ruby
3180
-
3181
- key_vals: 1
3182
-
3183
- multiple_values
3184
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3185
- Use ``multiple_values`` if the source file uses the same key multiple times. All values will be aggregated in an array:
3186
-
3187
- .. code-block:: ruby
3188
-
3189
- # # file structure:
3190
- # key = a
3191
- # key = b
3192
- # key2 = c
3193
- params['key'] = ['a', 'b']
3194
- params['key2'] = ['c']
3195
-
3196
- To use plain key value mapping, use ``multiple_values: false``:
3197
-
3198
- .. code-block:: ruby
3199
-
3200
- # # file structure:
3201
- # key = a
3202
- # key = b
3203
- # key2 = c
3204
- params['key'] = 'b'
3205
- params['key2'] = 'c'
3206
-
3207
-
3208
- standalone_comments
3209
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3210
- Use ``standalone_comments`` to parse comments as a line , otherwise inline comments are allowed:
3211
-
3212
- .. code-block:: ruby
3213
-
3214
- 'key = value # comment'
3215
- params['key'] = 'value # comment'
3216
-
3217
-
3218
- Use ``standalone_comments: false``, to parse the following:
3219
-
3220
- .. code-block:: ruby
3221
-
3222
- 'key = value # comment'
3223
- params['key'] = 'value'
3224
-
3225
- Examples
3226
- -----------------------------------------------------
3227
- The following examples show how to use this InSpec audit resource.
3228
-
3229
- **Test the expiration time for new account passwords**
3230
-
3231
- .. code-block:: ruby
3232
-
3233
- output = command('useradd -D').stdout
3234
-
3235
- describe parse_config(output) do
3236
- its('INACTIVE') { should eq '35' }
3237
- end
3238
-
3239
- **Test that bob is a user**
3240
-
3241
- .. code-block:: ruby
3242
-
3243
- describe parse_config(data, { multiple_values: true }) do
3244
- its('users') { should include 'bob'}
3245
- end
3246
-
3247
-
3248
- parse_config_file
3249
- =====================================================
3250
- Use the ``parse_config_file`` InSpec audit resource to test arbitrary configuration files. It works identiacal to ``parse_config``. Instead of using a command output, this resource works with files.
3251
-
3252
- **Stability: Experimental**
3253
-
3254
- Syntax
3255
- -----------------------------------------------------
3256
- A ``parse_config_file`` InSpec audit resource block declares the location of the configuration file to be tested, and then which settings in that file are to be tested.
3257
-
3258
- .. code-block:: ruby
3259
-
3260
- describe parse_config_file('/path/to/file', { data_config_option: value } ) do
3261
- its('setting') { should eq 1 }
3262
- end
3263
-
3264
- or:
3265
-
3266
- .. code-block:: ruby
3267
-
3268
- options = {
3269
- assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
3270
- multiple_values: true
3271
- }
3272
-
3273
- describe parse_config_file('path/to/file', options) do
3274
- its('setting') { should eq 1 }
3275
- end
3276
-
3277
- where each test
3278
-
3279
- * Must declare the location of the configuration file to be tested
3280
- * Must declare one (or more) settings to be tested
3281
- * May run a command to ``stdout``, and then run the test against that output
3282
- * May use options to define how configuration data is to be parsed
3283
-
3284
- Options
3285
- -----------------------------------------------------
3286
- This |inspec resource| supports the following options for parsing configuration data. Use them in an ``options`` block stated outside of (and immediately before) the actual test:
3287
-
3288
- .. code-block:: ruby
3289
-
3290
- options = {
3291
- assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
3292
- multiple_values: true
3293
- }
3294
- describe parse_config_file('path/to/file', options) do
3295
- its('setting') { should eq 1 }
3296
- end
3297
-
3298
- assignment_re
3299
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3300
- Use ``assignment_re`` to parse a key value using a regular expression:
3301
-
3302
- .. code-block:: ruby
3303
-
3304
- 'key = value'
3305
-
3306
- may be parsed using the following regular expression, which determines assignment from key to value:
3307
-
3308
- .. code-block:: ruby
3309
-
3310
- assignment_re: /^\s*([^=]*?)\s*=\s*(.*?)\s*$/
3311
-
3312
- comment_char
3313
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3314
- Use ``comment_char`` to parse for comments in a configuration file:
3315
-
3316
- .. code-block:: ruby
3317
-
3318
- comment_char: '#'
3319
-
3320
- key_vals
3321
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3322
- Use ``key_vals`` to parse how many values a key contains:
3323
-
3324
- .. code-block:: ruby
3325
-
3326
- key = a b c
3327
-
3328
- contains three values. To test that value to ensure it only contains one, use:
3329
-
3330
- .. code-block:: ruby
3331
-
3332
- key_vals: 1
3333
-
3334
-
3335
- multiple_values
3336
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3337
- Use ``multiple_values`` if the source file uses the same key multiple times. All values will be aggregated in an array:
3338
-
3339
- .. code-block:: ruby
3340
-
3341
- # # file structure:
3342
- # key = a
3343
- # key = b
3344
- # key2 = c
3345
- params['key'] = ['a', 'b']
3346
- params['key2'] = ['c']
3347
-
3348
- To use plain key value mapping, use ``multiple_values: false``:
3349
-
3350
- .. code-block:: ruby
3351
-
3352
- # # file structure:
3353
- # key = a
3354
- # key = b
3355
- # key2 = c
3356
- params['key'] = 'b'
3357
- params['key2'] = 'c'
3358
-
3359
-
3360
- standalone_comments
3361
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3362
- Use ``standalone_comments`` to parse comments as a line , otherwise inline comments are allowed:
3363
-
3364
- .. code-block:: ruby
3365
-
3366
- 'key = value # comment'
3367
- params['key'] = 'value # comment'
3368
-
3369
-
3370
- Use ``standalone_comments: false``, to parse the following:
3371
-
3372
- .. code-block:: ruby
3373
-
3374
- 'key = value # comment'
3375
- params['key'] = 'value'
3376
-
3377
- Examples
3378
- -----------------------------------------------------
3379
- The following examples show how to use this InSpec audit resource.
3380
-
3381
- **Test a configuration setting**
3382
-
3383
- .. code-block:: ruby
3384
-
3385
- describe parse_config_file('/path/to/file.conf') do
3386
- its('PARAM_X') { should eq 'Y' }
3387
- end
3388
-
3389
- **Use options, and then test a configuration setting**
3390
-
3391
- .. code-block:: ruby
3392
-
3393
- describe parse_config_file('/path/to/file.conf', { multiple_values: true }) do
3394
- its('PARAM_X') { should include 'Y' }
3395
- end
3396
-
3397
-
3398
-
3399
- passwd
3400
- =====================================================
3401
- Use the ``passwd`` |inspec resource| to test the contents of ``/etc/passwd``, which contains the following information for users that may log into the system and/or as users that own running processes. The format for ``/etc/passwd`` includes:
3402
-
3403
- * A username
3404
- * The password for that user (on newer systems passwords should be stored in ``/etc/shadow`` )
3405
- * The user identifier (UID) assigned to that user
3406
- * The group identifier (GID) assigned to that user
3407
- * Additional information about that user
3408
- * That user's home directory
3409
- * That user's default command shell
3410
-
3411
- defined as a colon-delimited row in the file, one row per user:
3412
-
3413
- .. code-block:: bash
3414
-
3415
- root:x:1234:5678:additional_info:/home/dir/:/bin/bash
3416
-
3417
- **Stability: Experimental**
3418
-
3419
- Syntax
3420
- -----------------------------------------------------
3421
- A ``passwd`` |inspec resource| block declares one (or more) users and associated user information to be tested:
3422
-
3423
- .. code-block:: ruby
3424
-
3425
- describe passwd do
3426
- its('users') { should_not include 'forbidden_user' }
3427
- end
3428
-
3429
- describe passwd.uid(0) do
3430
- its('users') { should cmp 'root' }
3431
- its('count') { should eq 1 }
3432
- end
3433
-
3434
- where
3435
-
3436
- * ``users``, ``uids``, ``gids``, ``passwords``, ``homes``, and ``shells`` are valid accessors for ``passwd``
3437
- * All of these matchers can be given an argument to filter by, for example: ``passwd.users(/name/)``
3438
- * There is an explicit method to filter by (``filter``) which can take multiple arguments at once
3439
- * ``count`` retrieves the number of entries
3440
- * ``lines`` provides raw passwd lines
3441
- * ``params`` returns an array of maps for all entries
3442
-
3443
-
3444
- Matchers for ``passwd``
3445
- -----------------------------------------------------
3446
- This InSpec audit resource has the following matchers.
3447
-
3448
- gids
3449
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3450
- The ``gids`` matcher tests if the group indentifiers in the test match group identifiers in ``/etc/passwd``:
3451
-
3452
- .. code-block:: ruby
3453
-
3454
- its('gids') { should include 1234 }
3455
- its('gids') { should cmp 0 }
3456
-
3457
- passwords
3458
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3459
- The ``passwords`` matcher tests if passwords are
3460
-
3461
- * Encrypted
3462
- * Have direct logins disabled, as indicated by an asterisk (``*``)
3463
- * In the ``/etc/shadow`` file, as indicated by the letter x (``x``)
3464
-
3465
- For example:
3466
-
3467
- .. code-block:: ruby
3468
-
3469
- its('passwords') { should eq ['x'] }
3470
- its('passwords') { should cmp '*' }
3471
-
3472
- uids
3473
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3474
- The ``uids`` matcher tests if the user indentifiers in the test match user identifiers in ``/etc/passwd``:
3475
-
3476
- .. code-block:: ruby
3477
-
3478
- its('uids') { should eq ['1234', '1235'] }
3479
-
3480
- users
3481
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3482
- The ``users`` matcher tests if the usernames in the test match usernames in ``/etc/passwd``:
3483
-
3484
- .. code-block:: ruby
3485
-
3486
- its('users') { should_not include 'www-data' }
3487
-
3488
-
3489
- count
3490
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3491
- The ``count`` matcher tests the number of entries in ``/etc/passwd``. It becomes especially useful in conjunction combination with filters:
3492
-
3493
- .. code-block:: ruby
3494
-
3495
- describe passwd.users('highlander') do
3496
- its('count') { should eq 1 }
3497
- end
3498
-
3499
-
3500
- Examples
3501
- -----------------------------------------------------
3502
- The following examples show how to use this InSpec audit resource.
3503
-
3504
- **Test usernames and UIDs**
3505
-
3506
- .. code-block:: ruby
3507
-
3508
- describe passwd do
3509
- its('users') { should eq ['root', 'www-data'] }
3510
- its('uids') { should eq [0, 33] }
3511
- end
3512
-
3513
- **Select one user and test for multiple occurances in passwd**
3514
-
3515
- .. code-block:: ruby
3516
-
3517
- describe passwd.uids(0) do
3518
- its('users') { should cmp 'root' }
3519
- its('count') { should eq 1 }
3520
- end
3521
-
3522
- describe passwd.filter(user: 'www-data') do
3523
- its('uids') { should cmp 33 }
3524
- its('count') { should eq 1 }
3525
- end
3526
-
3527
-
3528
- pip
3529
- =====================================================
3530
- Use the ``pip`` |inspec resource| to test packages that are installed using the |pip| installer.
3531
-
3532
- **Stability: Experimental**
3533
-
3534
- Syntax
3535
- -----------------------------------------------------
3536
- A ``pip`` |inspec resource| block declares a package and (optionally) a package version:
3537
-
3538
- .. code-block:: ruby
3539
-
3540
- describe pip('Jinja2') do
3541
- it { should be_installed }
3542
- end
3543
-
3544
- where
3545
-
3546
- * ``'Jinja2'`` is the name of the package
3547
- * ``be_installed`` tests to see if the ``Jinja2`` package is installed
3548
-
3549
- Matchers
3550
- -----------------------------------------------------
3551
- This InSpec audit resource has the following matchers.
3552
-
3553
- be_installed
3554
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3555
- The ``be_installed`` matcher tests if the named package is installed on the system:
3556
-
3557
- .. code-block:: ruby
3558
-
3559
- it { should be_installed }
3560
-
3561
- version
3562
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3563
- The ``version`` matcher tests if the named package version is on the system:
3564
-
3565
- .. code-block:: ruby
3566
-
3567
- its('version') { should eq '1.2.3' }
3568
-
3569
- Examples
3570
- -----------------------------------------------------
3571
- The following examples show how to use this InSpec audit resource.
3572
-
3573
- **Test if Jinja2 is installed on the system**
3574
-
3575
- .. code-block:: ruby
3576
-
3577
- describe pip('Jinja2') do
3578
- it { should be_installed }
3579
- end
3580
-
3581
- **Test if Jinja2 2.8 is installed on the system**
3582
-
3583
- .. code-block:: ruby
3584
-
3585
- describe pip('Jinja2') do
3586
- it { should be_installed }
3587
- its('version') { should eq '2.8' }
3588
- end
3589
-
3590
-
3591
- port
3592
- =====================================================
3593
- Use the ``port`` |inspec resource| to test basic port properties, such as port, process, if it's listening.
3594
-
3595
- **Stability: Stable**
3596
-
3597
- Syntax
3598
- -----------------------------------------------------
3599
- A ``port`` |inspec resource| block declares a port, and then depending on what needs to be tested, a process, protocol, process identifier, and its state (is it listening?):
3600
-
3601
- .. code-block:: ruby
3602
-
3603
- describe port(514) do
3604
- it { should be_listening }
3605
- its('processes') {should include 'syslog'}
3606
- end
3607
-
3608
- where the ``processes`` returns the processes listening on port 514.
3609
-
3610
- or:
3611
-
3612
- .. code-block:: ruby
3613
-
3614
- describe port.where { protocol =~ /tcp/ && port > 22 && port < 80 } do
3615
- it { should_not be_listening }
3616
- end
3617
-
3618
- where
3619
-
3620
- * ``.where{}`` may specify a block to filter on attributes: port, address, protocol, process, pid, listening?
3621
-
3622
- Matchers
3623
- -----------------------------------------------------
3624
- This InSpec audit resource has the following matchers.
3625
-
3626
- be_listening
3627
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3628
- The ``be_listening`` matcher tests if the port is listening for traffic:
3629
-
3630
- .. code-block:: ruby
3631
-
3632
- it { should be_listening }
3633
-
3634
- pid
3635
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3636
- The ``pids`` matcher tests the process identifier (PID):
3637
-
3638
- .. code-block:: ruby
3639
-
3640
- its('pids') { should eq ['27808'] }
3641
-
3642
- process
3643
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3644
- The ``processes`` matcher tests if the named process is running on the system:
3645
-
3646
- .. code-block:: ruby
3647
-
3648
- its('processes') { should eq ['syslog'] }
3649
-
3650
- protocol
3651
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3652
- The ``protocols`` matcher tests the Internet protocol: |icmp| (``'icmp'``), |tcp| (``'tcp'`` or ``'tcp6'``), or |udp| (``'udp'`` or ``'udp6'``):
3653
-
3654
- .. code-block:: ruby
3655
-
3656
- its('protocols') { should eq ['tcp'] }
3657
-
3658
- or for the |ipv6| protocol:
3659
-
3660
- .. code-block:: ruby
3661
-
3662
- its('protocols') { should eq ['tcp6'] }
3663
-
3664
- Examples
3665
- -----------------------------------------------------
3666
- The following examples show how to use this InSpec audit resource.
3667
-
3668
- **Test port 80, listening with the TCP protocol**
3669
-
3670
- .. code-block:: ruby
3671
-
3672
- describe port(80) do
3673
- it { should be_listening }
3674
- its('protocols') {should eq ['tcp']}
3675
- end
3676
-
3677
- **Test port 80, listening with TCP version IPv6 protocol**
3678
-
3679
- .. code-block:: ruby
3680
-
3681
- describe port(80) do
3682
- it { should be_listening }
3683
- its('protocols') {should eq ['tcp6']}
3684
- end
3685
-
3686
- **Test ports for HTTPs**
3687
-
3688
- .. code-block:: ruby
3689
-
3690
- describe port(80) do
3691
- it { should_not be_listening }
3692
- end
3693
-
3694
- describe port(443) do
3695
- it { should be_listening }
3696
- its('protocols') {should eq ['tcp']}
3697
- end
3698
-
3699
- **Test port 80 on a specific address**
3700
-
3701
- This check can be implemented in two equivalent ways:
3702
-
3703
- .. code-block:: ruby
3704
-
3705
- describe port(80) do
3706
- it { should be_listening }
3707
- its('addresses') {should include '0.0.0.0'}
3708
- end
3709
-
3710
- describe port('0.0.0.0', 80) do
3711
- it { should be_listening }
3712
- end
3713
-
3714
- **Test that no ports above 80 are listening**
3715
-
3716
- .. code-block:: ruby
3717
-
3718
- describe port.where { protocol =~ /tcp/ && port > 80 } do
3719
- it { should_not be_listening }
3720
- end
3721
-
3722
- **Tests that only httpd and sshd are listening**
3723
-
3724
- describe port.where { listening? } do
3725
- its('processes') { should contain_exactly('sshd','httpd') }
3726
- end
3727
-
3728
- postgres_conf
3729
- =====================================================
3730
- Use the ``postgres_conf`` |inspec resource| to test the contents of the configuration file for |postgresql|, typically located at ``/etc/postgresql/<version>/main/postgresql.conf`` or ``/var/lib/postgres/data/postgresql.conf``, depending on the platform.
3731
-
3732
- **Stability: Experimental**
3733
-
3734
- Syntax
3735
- -----------------------------------------------------
3736
- A ``postgres_conf`` |inspec resource| block declares one (or more) settings in the ``postgresql.conf`` file, and then compares the setting in the configuration file to the value stated in the test:
3737
-
3738
- .. code-block:: ruby
3739
-
3740
- describe postgres_conf('path') do
3741
- its('setting') { should eq 'value' }
3742
- end
3743
-
3744
- where
3745
-
3746
- * ``'setting'`` specifies a setting in the ``postgresql.conf`` file
3747
- * ``('path')`` is the non-default path to the ``postgresql.conf`` file (optional)
3748
- * ``should eq 'value'`` is the value that is expected
3749
-
3750
- Matchers
3751
- -----------------------------------------------------
3752
- This InSpec audit resource has the following matchers.
3753
-
3754
- setting
3755
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3756
- The ``setting`` matcher tests specific, named settings in the ``postgresql.conf`` file:
3757
-
3758
- .. code-block:: ruby
3759
-
3760
- its('setting') { should eq 'value' }
3761
-
3762
- Use a ``setting`` matcher for each setting to be tested.
3763
-
3764
- Examples
3765
- -----------------------------------------------------
3766
- The following examples show how to use this InSpec audit resource.
3767
-
3768
- **Test the maximum number of allowed client connections**
3769
-
3770
- .. code-block:: ruby
3771
-
3772
- describe postgres_conf do
3773
- its('max_connections') { should eq '5' }
3774
- end
3775
-
3776
- **Test system logging**
3777
-
3778
- .. code-block:: ruby
3779
-
3780
- describe postgres_conf do
3781
- its('logging_collector') { should eq 'on' }
3782
- its('log_connections') { should eq 'on' }
3783
- its('log_disconnections') { should eq 'on' }
3784
- its('log_duration') { should eq 'on' }
3785
- its('log_hostname') { should eq 'on' }
3786
- its('log_line_prefix') { should eq '%t %u %d %h' }
3787
- end
3788
-
3789
- **Test the port on which PostgreSQL listens**
3790
-
3791
- .. code-block:: ruby
3792
-
3793
- describe postgres_conf do
3794
- its('port') { should eq '5432' }
3795
- end
3796
-
3797
- **Test the Unix socket settings**
3798
-
3799
- .. code-block:: ruby
3800
-
3801
- describe postgres_conf do
3802
- its('unix_socket_directories') { should eq '.s.PGSQL.5432' }
3803
- its('unix_socket_group') { should eq nil }
3804
- its('unix_socket_permissions') { should eq '0770' }
3805
- end
3806
-
3807
- where ``unix_socket_group`` is set to the |postgresql| default setting (the group to which the server user belongs).
3808
-
3809
-
3810
-
3811
- postgres_session
3812
- =====================================================
3813
- Use the ``postgres_session`` |inspec resource| to test SQL commands run against a |postgresql| database.
3814
-
3815
- **Stability: Experimental**
3816
-
3817
- Syntax
3818
- -----------------------------------------------------
3819
- A ``postgres_session`` |inspec resource| block declares the username and password to use for the session, and then the command to be run:
3820
-
3821
- .. code-block:: ruby
3822
-
3823
- sql = postgres_session('username', 'password')
3824
-
3825
- describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
3826
- its('output') { should eq('') }
3827
- end
3828
-
3829
- where
3830
-
3831
- * ``sql = postgres_session`` declares a username and password with permission to run the query
3832
- * ``sql.query('')`` contains the query to be run
3833
- * ``its('output') { should eq('') }`` compares the results of the query against the expected result in the test
3834
-
3835
- Matchers
3836
- -----------------------------------------------------
3837
- This InSpec audit resource has the following matchers.
3838
-
3839
- output
3840
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3841
- The ``output`` matcher tests the results of the query:
3842
-
3843
- .. code-block:: ruby
3844
-
3845
- its('output') { should eq(/^0/) }
3846
-
3847
- Examples
3848
- -----------------------------------------------------
3849
- The following examples show how to use this InSpec audit resource.
3850
-
3851
- **Test the PostgreSQL shadow password**
3852
-
3853
- .. code-block:: ruby
3854
-
3855
- sql = postgres_session('my_user', 'password')
3856
-
3857
- describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
3858
- its('output') { should eq('') }
3859
- end
3860
-
3861
- **Test for risky database entries**
3862
-
3863
- .. code-block:: ruby
3864
-
3865
- describe postgres_session('my_user', 'password').query('SELECT count (*)
3866
- FROM pg_language
3867
- WHERE lanpltrusted = \'f\'
3868
- AND lanname!=\'internal\'
3869
- AND lanname!=\'c\';') do
3870
- its('output') { should eq '0' }
3871
- end
3872
-
3873
-
3874
-
3875
- powershell
3876
- =====================================================
3877
- Use the ``powershell`` |inspec resource| to test a |powershell| script on the |windows| platform.
3878
-
3879
- **Stability: Experimental**
3880
-
3881
- Syntax
3882
- -----------------------------------------------------
3883
- A ``powershell`` |inspec resource| block declares a script to be tested, and then a command that should be part of that script:
3884
-
3885
- .. code-block:: ruby
3886
-
3887
- script = <<-EOH
3888
- # you powershell script
3889
- EOH
3890
-
3891
- describe powershell(script) do
3892
- its('matcher') { should eq 'output' }
3893
- end
3894
-
3895
-
3896
- where
3897
-
3898
- * ``'script'`` must specify a Powershell script to be run
3899
- * ``'matcher'`` is one of ``exit_status``, ``stderr``, or ``stdout``
3900
- * ``'output'`` tests the output of the command run on the system versus the output value stated in the test
3901
-
3902
-
3903
- Matchers
3904
- -----------------------------------------------------
3905
- This InSpec audit resource has the following matchers.
3906
-
3907
- exit_status
3908
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3909
- The ``exit_status`` matcher tests the exit status for the command:
3910
-
3911
- .. code-block:: ruby
3912
-
3913
- its('exit_status') { should eq 123 }
3914
-
3915
- stderr
3916
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3917
- The ``stderr`` matcher tests results of the command as returned in standard error (stderr):
3918
-
3919
- .. code-block:: ruby
3920
-
3921
- its('stderr') { should eq 'error' }
3922
-
3923
- stdout
3924
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3925
- The ``stdout`` matcher tests results of the command as returned in standard output (stdout):
3926
-
3927
- .. code-block:: ruby
3928
-
3929
- its('stdout') { should eq '/^1$/' }
3930
-
3931
- Examples
3932
- -----------------------------------------------------
3933
- The following examples show how to use this InSpec audit resource.
3934
-
3935
- **Get all groups of Administrator user**
3936
-
3937
- .. code-block:: ruby
3938
-
3939
- myscript = <<-EOH
3940
- # find user
3941
- $user = Get-WmiObject Win32_UserAccount -filter "Name = 'Administrator'"
3942
- # get related groups
3943
- $groups = $user.GetRelated('Win32_Group') | Select-Object -Property Caption, Domain, Name, LocalAccount, SID, SIDType, Status
3944
- $groups | ConvertTo-Json
3945
- EOH
3946
-
3947
- describe script(myscript) do
3948
- its('stdout') { should_not eq '' }
3949
- end
3950
-
3951
-
3952
-
3953
- processes
3954
- =====================================================
3955
- Use the ``processes`` |inspec resource| to test properties for programs that are running on the system.
3956
-
3957
- **Stability: Experimental**
3958
-
3959
- Syntax
3960
- -----------------------------------------------------
3961
- A ``processes`` |inspec resource| block declares the name of the process to be tested, and then declares one (or more) property/value pairs:
3962
-
3963
- .. code-block:: ruby
3964
-
3965
- describe processes('process_name') do
3966
- its('property_name') { should eq 'property_value' }
3967
- end
3968
-
3969
- where
3970
-
3971
- * ``processes('process_name')`` must specify the name of a process that is running on the system
3972
- * The ``user`` and ``state`` properties may be tested; they are exposed via ``users`` and ``states``, respectively.
3973
-
3974
- Matchers
3975
- -----------------------------------------------------
3976
- This InSpec audit resource has the following matchers.
3977
-
3978
- property_name
3979
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
3980
- The ``property_name`` matcher tests the named property for the specified value:
3981
-
3982
- .. code-block:: ruby
3983
-
3984
- its('property_name') { should eq 'property_value' }
3985
-
3986
- Examples
3987
- -----------------------------------------------------
3988
- The following examples show how to use this InSpec audit resource.
3989
-
3990
- .. The title for the example below needs to be clarified, then it can be uncommented
3991
- ..
3992
- .. **Test for multiple instances of Nginx**
3993
- ..
3994
- .. .. code-block:: ruby
3995
- ..
3996
- .. describe processes('postgres') do
3997
- .. its('list.length') { should be(1) }
3998
- .. end
3999
- ..
4000
-
4001
- **Test for multiple instances of mysqld**
4002
-
4003
- .. code-block:: ruby
4004
-
4005
- describe processes('mysqld') do
4006
- its('list.length') { should eq 1 }
4007
- end
4008
-
4009
- **Test if the init process is owned by the root user**
4010
-
4011
- .. code-block:: ruby
4012
-
4013
- describe processes('init') do
4014
- its('users') { should eq ['root'] }
4015
- end
4016
-
4017
- **Test if a high-priority process is running**
4018
-
4019
- .. code-block:: ruby
4020
-
4021
- describe processes('some_process') do
4022
- its('states') { should eq ['R<'] }
4023
- end
4024
-
4025
-
4026
- registry_key
4027
- =====================================================
4028
- Use the ``registry_key`` |inspec resource| to test key values in the |windows| registry.
4029
-
4030
- **Stability: Stable**
4031
-
4032
- Syntax
4033
- -----------------------------------------------------
4034
- A ``registry_key`` |inspec resource| block declares the item in the |windows| registry, the path to a setting under that item, and then one (or more) name/value pairs to be tested:
4035
-
4036
- .. code-block:: ruby
4037
-
4038
- describe registry_key('registry_item', 'path\to\key') do
4039
- its('name') { should eq 'value' }
4040
- end
4041
-
4042
- describe registry_key('path\to\key') do
4043
- its('name') { should eq 'value' }
4044
- end
4045
-
4046
- where
4047
-
4048
- * ``'registry_item'`` is a key in the |windows| registry (optional)
4049
- * ``'path\to\key'`` is the path in the |windows| registry
4050
- * ``('name')`` and ``'value'`` represent the name of the key and the value assigned to that key
4051
-
4052
- Matchers
4053
- -----------------------------------------------------
4054
- This InSpec audit resource has the following matchers.
4055
-
4056
- name
4057
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
4058
- The ``name`` matcher tests the value for the specified registry setting:
4059
-
4060
- .. code-block:: ruby
4061
-
4062
- its('name') { should eq 'value' }
4063
-
4064
- Examples
4065
- -----------------------------------------------------
4066
- The following examples show how to use this InSpec audit resource.
4067
-
4068
- **Test the start time for the Schedule service**
4069
-
4070
- .. code-block:: ruby
4071
-
4072
- describe registry_key('Task Scheduler','HKEY_LOCAL_MACHINE\...\Schedule') do
4073
- its('Start') { should eq 2 }
4074
- end
4075
-
4076
- where ``'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule'`` is the full path to the setting.
4077
-
4078
-
4079
- security_policy
4080
- =====================================================
4081
- Use the ``security_policy`` |inspec resource| to test security policies on the |windows| platform.
4082
-
4083
- **Stability: Experimental**
4084
-
4085
- Syntax
4086
- -----------------------------------------------------
4087
- A ``security_policy`` |inspec resource| block declares the name of a security policy and the value to be tested:
4088
-
4089
- .. code-block:: ruby
4090
-
4091
- describe security_policy do
4092
- its('policy_name') { should eq 'value' }
4093
- end
4094
-
4095
- where
4096
-
4097
- * ``'policy_name'`` must specify a security policy
4098
- * ``{ should eq 'value' }`` tests the value of ``policy_name`` against the value declared in the test
4099
-
4100
- Matchers
4101
- -----------------------------------------------------
4102
- This InSpec audit resource has the following matchers.
4103
-
4104
- policy_name
4105
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
4106
- The ``policy_name`` matcher must be the name of a security policy:
4107
-
4108
- .. code-block:: ruby
4109
-
4110
- its('SeNetworkLogonRight') { should eq '*S-1-5-11' }
4111
-
4112
- Examples
4113
- -----------------------------------------------------
4114
- The following examples show how to use this InSpec audit resource.
4115
-
4116
- **Verify that only the Administrators group has remote access**
4117
-
4118
- .. code-block:: ruby
4119
-
4120
- describe security_policy do
4121
- its('SeRemoteInteractiveLogonRight') { should eq '*S-1-5-32-544' }
4122
- end
4123
-
4124
-
4125
- service
4126
- =====================================================
4127
- Use the ``service`` |inspec resource| to test if the named service is installed, running and/or enabled.
4128
-
4129
- **Stability: Stable**
4130
-
4131
- Syntax
4132
- -----------------------------------------------------
4133
- A ``service`` |inspec resource| block declares the name of a service and then one (or more) matchers to test the state of the service:
4134
-
4135
- .. code-block:: ruby
4136
-
4137
- describe service('service_name') do
4138
- it { should be_installed }
4139
- it { should be_enabled }
4140
- it { should be_running }
4141
- end
4142
-
4143
- where
4144
-
4145
- * ``('service_name')`` must specify a service name
4146
- * ``be_installed``, ``be_enabled``, and ``be_running`` are valid matchers for this |inspec resource|
4147
-
4148
- Matchers
4149
- -----------------------------------------------------
4150
- This InSpec audit resource has the following matchers.
4151
-
4152
- be_enabled
4153
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
4154
- The ``be_enabled`` matcher tests if the named service is enabled:
4155
-
4156
- .. code-block:: ruby
4157
-
4158
- it { should be_enabled }
4159
-
4160
- be_installed
4161
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
4162
- The ``be_installed`` matcher tests if the named service is installed:
4163
-
4164
- .. code-block:: ruby
4165
-
4166
- it { should be_installed }
4167
-
4168
- be_running
4169
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
4170
- The ``be_running`` matcher tests if the named service is running:
4171
-
4172
- .. code-block:: ruby
4173
-
4174
- it { should be_running }
4175
-
4176
- Examples
4177
- -----------------------------------------------------
4178
- The following examples show how to use this InSpec audit resource.
4179
-
4180
- **Test if the postgresql service is both running and enabled**
4181
-
4182
- .. code-block:: ruby
4183
-
4184
- describe service('postgresql') do
4185
- it { should be_enabled }
4186
- it { should be_running }
4187
- end
4188
-
4189
- **Test if the mysql service is both running and enabled**
4190
-
4191
- .. code-block:: ruby
4192
-
4193
- describe service('mysqld') do
4194
- it { should be_enabled }
4195
- it { should be_running }
4196
- end
4197
-
4198
- **Test if ClamAV (an antivirus engine) is installed and running**
4199
-
4200
- .. code-block:: ruby
4201
-
4202
- describe package('clamav') do
4203
- it { should be_installed }
4204
- its('version') { should eq '0.98.7' }
4205
- end
4206
-
4207
- describe service('clamd') do
4208
- it { should_not be_enabled }
4209
- it { should_not be_installed }
4210
- it { should_not be_running }
4211
- end
4212
-
4213
-
4214
- **Test the runlevels for Sys-V services**
4215
-
4216
- On targets using Sys-V services, the existing runlevels can also be checked:
4217
-
4218
- .. code-block:: ruby
4219
-
4220
- describe service('sshd').runlevels do
4221
- its('keys') { should include(2) }
4222
- end
4223
-
4224
- describe service('sshd').runlevels(2,4) do
4225
- it { should be_enabled }
4226
- end
4227
-
4228
- **Override the service manager**
4229
-
4230
- Under some circumstances, it may be required to override the logic in place to select the right service manager. For example, if you want to check a service managed by Upstart, you can explicitly do so:
4231
-
4232
- .. code-block:: ruby
4233
-
4234
- describe upstart_service('service') do
4235
- it { should_not be_enabled }
4236
- it { should be_installed }
4237
- it { should be_running }
4238
- end
4239
-
4240
- The following service-manager-specific resources are available:
4241
-
4242
- * ``systemd_service``,
4243
- * ``runit_service``,
4244
- * ``sysv_service``,
4245
- * ``bsd_service``, and
4246
- * ``launchd_service``.
4247
-
4248
- These resources support the same matchers as the `service` resource.
4249
-
4250
- You can also provide the path to the service manager's control tool. This is useful in cases when it isn't available in the current `PATH`.
4251
- For example, if your `sv` command for services managed by Runit is not in PATH:
4252
-
4253
- .. code-block:: ruby
4254
-
4255
- describe runit_service('service', '/opt/chef/embedded/sbin/sv') do
4256
- it { should be_enabled }
4257
- it { should be_installed }
4258
- it { should be_running }
4259
- end
4260
-
4261
-
4262
- ssh_config
4263
- =====================================================
4264
- Use the ``ssh_config`` |inspec resource| to test |openssh| |ssh| client configuration data located at ``/etc/ssh/ssh_config`` on |linux| and |unix| platforms.
4265
-
4266
- **Stability: Experimental**
4267
-
4268
- Syntax
4269
- -----------------------------------------------------
4270
- A ``ssh_config`` |inspec resource| block declares the client |openssh| configuration data to be tested:
4271
-
4272
- .. code-block:: ruby
4273
-
4274
- describe ssh_config('path') do
4275
- its('name') { should include('foo') }
4276
- end
4277
-
4278
- where
4279
-
4280
- * ``name`` is a configuration setting in ``ssh_config``
4281
- * ``('path')`` is the non-default ``/path/to/ssh_config``
4282
- * ``{ should include('foo') }`` tests the value of ``name`` as read from ``ssh_config`` versus the value declared in the test
4283
-
4284
- Matchers
4285
- -----------------------------------------------------
4286
- This InSpec audit resource has the following matchers.
4287
-
4288
- name
4289
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
4290
- The ``name`` matcher tests the value of ``name`` as read from ``ssh_config`` versus the value declared in the test:
4291
-
4292
- .. code-block:: ruby
4293
-
4294
- its('name') { should eq 'foo' }
4295
-
4296
- or:
4297
-
4298
- .. code-block:: ruby
4299
-
4300
- its('name') { should include('bar') }
4301
-
4302
- Examples
4303
- -----------------------------------------------------
4304
- The following examples show how to use this InSpec audit resource.
4305
-
4306
- **Test SSH configuration settings**
4307
-
4308
- .. code-block:: ruby
4309
-
4310
- describe ssh_config do
4311
- its('cipher') { should contain '3des' }
4312
- its('port') { should eq '22' }
4313
- its('hostname') { should include('example.com') }
4314
- end
4315
-
4316
- **Test which variables from the local environment are sent to the server**
4317
-
4318
- .. code-block:: ruby
4319
-
4320
- only_if do
4321
- command('sshd').exist? or command('ssh').exists?
4322
- end
4323
-
4324
- describe ssh_config do
4325
- its('SendEnv') { should include('GORDON_CLIENT') }
4326
- end
4327
-
4328
- **Test owner and group permissions**
4329
-
4330
- .. code-block:: ruby
4331
-
4332
- describe ssh_config do
4333
- its('owner') { should eq 'root' }
4334
- its('mode') { should cmp '0644' }
4335
- end
4336
-
4337
- **Test SSH configuration**
4338
-
4339
- .. code-block:: ruby
4340
-
4341
- describe ssh_config do
4342
- its('Host') { should eq '*' }
4343
- its('Tunnel') { should eq nil }
4344
- its('SendEnv') { should eq 'LANG LC_*' }
4345
- its('HashKnownHosts') { should eq 'yes' }
4346
- end
4347
-
4348
-
4349
- sshd_config
4350
- =====================================================
4351
- Use the ``sshd_config`` |inspec resource| to test configuration data for the |openssh| daemon located at ``/etc/ssh/sshd_config`` on |linux| and |unix| platforms. sshd---the |openssh| daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command executation, and data exchanges.
4352
-
4353
- **Stability: Experimental**
4354
-
4355
- Syntax
4356
- -----------------------------------------------------
4357
- A ``sshd_config`` |inspec resource| block declares the client |openssh| configuration data to be tested:
4358
-
4359
- .. code-block:: ruby
4360
-
4361
- describe sshd_config('path') do
4362
- its('name') { should include('foo') }
4363
- end
4364
-
4365
- where
4366
-
4367
- * ``name`` is a configuration setting in ``sshd_config``
4368
- * ``('path')`` is the non-default ``/path/to/sshd_config``
4369
- * ``{ should include('foo') }`` tests the value of ``name`` as read from ``sshd_config`` versus the value declared in the test
4370
-
4371
- Matchers
4372
- -----------------------------------------------------
4373
- This InSpec audit resource has the following matchers.
4374
-
4375
- name
4376
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
4377
- The ``name`` matcher tests the value of ``name`` as read from ``sshd_config`` versus the value declared in the test:
4378
-
4379
- .. code-block:: ruby
4380
-
4381
- its('name') { should eq 'foo' }
4382
-
4383
- or:
4384
-
4385
- .. code-block:: ruby
4386
-
4387
- its('name') {should include('bar') }
4388
-
4389
- Examples
4390
- -----------------------------------------------------
4391
- The following examples show how to use this InSpec audit resource.
4392
-
4393
- **Test which variables may be sent to the server**
4394
-
4395
- .. code-block:: ruby
4396
-
4397
- describe sshd_config do
4398
- its('AcceptEnv') { should include('GORDON_SERVER') }
4399
- end
4400
-
4401
- **Test for IPv6-only addresses**
4402
-
4403
- .. code-block:: ruby
4404
-
4405
- describe sshd_config do
4406
- its('AddressFamily') { should eq 'inet6' }
4407
- end
4408
-
4409
- **Test protocols**
4410
-
4411
- .. code-block:: ruby
4412
-
4413
- describe sshd_config do
4414
- its('Protocol') { should cmp 2 }
4415
- end
4416
-
4417
- **Test ciphers**
4418
-
4419
- .. code-block:: ruby
4420
-
4421
- describe sshd_config do
4422
- its('Ciphers') { should eq('chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr') }
4423
- end
4424
-
4425
- **Test SSH protocols**
4426
-
4427
- .. code-block:: ruby
4428
-
4429
- describe sshd_config do
4430
- its('Port') { should cmp 22 }
4431
- its('UsePAM') { should eq 'yes' }
4432
- its('ListenAddress') { should eq nil }
4433
- its('HostKey') { should eq [
4434
- '/etc/ssh/ssh_host_rsa_key',
4435
- '/etc/ssh/ssh_host_dsa_key',
4436
- '/etc/ssh/ssh_host_ecdsa_key',
4437
- ] }
4438
- end
4439
-
4440
-
4441
- user
4442
- =====================================================
4443
- Use the ``user`` |inspec resource| to test user profiles, including the groups to which they belong, the frequency of required password changes, the directory paths to home and shell.
4444
-
4445
- **Stability: Stable**
4446
-
4447
- Syntax
4448
- -----------------------------------------------------
4449
- A ``user`` |inspec resource| block declares a user name, and then one (or more) matchers:
4450
-
4451
- .. code-block:: ruby
4452
-
4453
- describe user('root') do
4454
- it { should exist }
4455
- its('uid') { should eq 1234 }
4456
- its('gid') { should eq 1234 }
4457
- its('group') { should eq 'root' }
4458
- its('groups') { should eq ['root', 'other']}
4459
- its('home') { should eq '/root' }
4460
- its('shell') { should eq '/bin/bash' }
4461
- its('mindays') { should eq 0 }
4462
- its('maxdays') { should eq 90 }
4463
- its('warndays') { should eq 8 }
4464
- end
4465
-
4466
- where
4467
-
4468
- * ``('root')`` is the user to be tested
4469
- * ``it { should exist }`` tests if the user exists
4470
- * ``gid``, ``group``, ``groups``, ``home``, ``maxdays``, ``mindays``, ``shell``, ``uid``, and ``warndays`` are valid matchers for this |inspec resource|
4471
-
4472
- Matchers
4473
- -----------------------------------------------------
4474
- This InSpec audit resource has the following matchers.
4475
-
4476
- exist
4477
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
4478
- The ``exist`` matcher tests if the named user exists:
4479
-
4480
- .. code-block:: ruby
4481
-
4482
- it { should exist }
4483
-
4484
- gid
4485
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
4486
- The ``gid`` matcher tests the group identifier:
4487
-
4488
- .. code-block:: ruby
4489
-
4490
- its('gid') { should eq 1234 } }
4491
-
4492
- where ``1234`` represents the user identifier.
4493
-
4494
- group
4495
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
4496
- The ``group`` matcher tests the group to which the user belongs:
4497
-
4498
- .. code-block:: ruby
4499
-
4500
- its('group') { should eq 'root' }
4501
-
4502
- where ``root`` represents the group.
4503
-
4504
- groups
4505
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
4506
- The ``groups`` matcher tests two (or more) groups to which the user belongs:
4507
-
4508
- .. code-block:: ruby
4509
-
4510
- its('groups') { should eq ['root', 'other']}
4511
-
4512
- home
4513
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
4514
- The ``home`` matcher tests the home directory path for the user:
4515
-
4516
- .. code-block:: ruby
4517
-
4518
- its('home') { should eq '/root' }
4519
-
4520
- maxdays
4521
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
4522
- The ``maxdays`` matcher tests the maximum number of days between password changes:
4523
-
4524
- .. code-block:: ruby
4525
-
4526
- its('maxdays') { should eq 99 }
4527
-
4528
- where ``99`` represents the maximum number of days.
4529
-
4530
- mindays
4531
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
4532
- The ``mindays`` matcher tests the minimum number of days between password changes:
4533
-
4534
- .. code-block:: ruby
4535
-
4536
- its('mindays') { should eq 0 }
4537
-
4538
- where ``0`` represents the maximum number of days.
4539
-
4540
- shell
4541
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
4542
- The ``shell`` matcher tests the path to the default shell for the user:
4543
-
4544
- .. code-block:: ruby
4545
-
4546
- its('shell') { should eq '/bin/bash' }
4547
-
4548
- uid
4549
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
4550
- The ``uid`` matcher tests the user identifier:
4551
-
4552
- .. code-block:: ruby
4553
-
4554
- its('uid') { should eq 1234 } }
4555
-
4556
- where ``1234`` represents the user identifier.
4557
-
4558
- warndays
4559
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
4560
- The ``warndays`` matcher tests the number of days a user is warned before a password must be changed:
4561
-
4562
- .. code-block:: ruby
4563
-
4564
- its('warndays') { should eq 5 }
4565
-
4566
- where ``5`` represents the number of days a user is warned.
4567
-
4568
- Examples
4569
- -----------------------------------------------------
4570
- The following examples show how to use this InSpec audit resource.
4571
-
4572
- **Verify available users for the MySQL server**
4573
-
4574
- .. code-block:: ruby
4575
-
4576
- describe user('root') do
4577
- it { should exist }
4578
- it { should belong_to_group 'root' }
4579
- its('uid') { should eq 0 }
4580
- its('groups') { should eq ['root'] }
4581
- end
4582
-
4583
- describe user('mysql') do
4584
- it { should_not exist }
4585
- end
4586
-
4587
- **Test users on multiple platforms**
4588
-
4589
- The |nginx| user is typically ``www-data``, but on |centos| it's ``nginx``. The following example shows how to test for the |nginx| user with a single test, but accounting for all platforms:
4590
-
4591
- .. code-block:: ruby
4592
-
4593
- web_user = 'www-data'
4594
- web_user = 'nginx' if os[:family] == 'centos'
4595
-
4596
- describe user(web_user) do
4597
- it { should exist }
4598
- end
4599
-
4600
-
4601
- windows_feature
4602
- =====================================================
4603
- Use the ``windows_feature`` |inspec resource| to test features on |windows|. It uses the ``Get-WindowsFeature`` cmdlet under the hood.
4604
-
4605
- **Stability: Experimental**
4606
-
4607
- Syntax
4608
- -----------------------------------------------------
4609
- A ``windows_feature`` |inspec resource| block declares the name of the |windows| feature, tests if that feature is installed, and then returns information about that feature:
4610
-
4611
- .. code-block:: ruby
4612
-
4613
- describe windows_feature('feature_name') do
4614
- it { should be_installed }
4615
- end
4616
-
4617
- where
4618
-
4619
- * ``('feature_name')`` must specify a |windows| feature name, such as ``DHCP Server`` or ``IIS-Webserver``
4620
- * ``be_installed`` is a valid matcher for this |inspec resource|
4621
-
4622
- Matchers
4623
- -----------------------------------------------------
4624
- This InSpec audit resource has the following matchers.
4625
-
4626
- be_installed
4627
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
4628
- The ``be_installed`` matcher tests if the named |windows| feature is installed:
4629
-
4630
- .. code-block:: ruby
4631
-
4632
- it { should be_installed }
4633
-
4634
- Examples
4635
- -----------------------------------------------------
4636
- The following examples show how to use this InSpec audit resource.
4637
-
4638
- **Test the DHCP Server feature**
4639
-
4640
- .. code-block:: ruby
4641
-
4642
- describe windows_feature('DHCP Server') do
4643
- it{ should be_installed }
4644
- end
4645
-
4646
-
4647
- yaml
4648
- =====================================================
4649
- Use the ``yaml`` |inspec resource| to test configuration data in a |yaml| file.
4650
-
4651
- **Stability: Experimental**
4652
-
4653
- Syntax
4654
- -----------------------------------------------------
4655
- A ``yaml`` |inspec resource| block declares the configuration data to be tested:
4656
-
4657
- .. code-block:: yaml
4658
-
4659
- name: foo
4660
- array:
4661
- - zero
4662
- - one
4663
-
4664
-
4665
- This file can be queried via:
4666
-
4667
- .. code-block:: ruby
4668
-
4669
- describe yaml do
4670
- its('name') { should eq 'foo' }
4671
- its(['array', 1]) { should eq 'one' }
4672
- end
4673
-
4674
- where
4675
-
4676
- * ``name`` is a configuration setting in a |yaml| file
4677
- * ``should eq 'foo'`` tests a value of ``name`` as read from a |yaml| file versus the value declared in the test
4678
-
4679
- Matchers
4680
- -----------------------------------------------------
4681
- This InSpec audit resource has the following matchers.
4682
-
4683
- name
4684
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
4685
- The ``name`` matcher tests the value of ``name`` as read from a |yaml| file versus the value declared in the test:
4686
-
4687
- .. code-block:: ruby
4688
-
4689
- its('name') { should eq 'foo' }
4690
-
4691
- Examples
4692
- -----------------------------------------------------
4693
- The following examples show how to use this InSpec audit resource.
4694
-
4695
- **Test a kitchen.yml file driver**
4696
-
4697
- .. code-block:: ruby
4698
-
4699
- describe yaml('.kitchen.yaml') do
4700
- its('driver.name') { should eq('vagrant') }
4701
- end
4702
-
4703
-
4704
- yum
4705
- =====================================================
4706
- Use the ``yum`` |inspec resource| to test packages in the |yum| repository.
4707
-
4708
- **Stability: Experimental**
4709
-
4710
- Syntax
4711
- -----------------------------------------------------
4712
- A ``yum`` |inspec resource| block declares a package repo, tests if the package repository is present, and if it that package repository is a valid package source (i.e. "is enabled"):
4713
-
4714
- .. code-block:: ruby
4715
-
4716
- describe yum.repo('name') do
4717
- it { should exist }
4718
- it { should be_enabled }
4719
- end
4720
-
4721
- where
4722
-
4723
- * ``repo('name')`` is the (optional) name of a package repo, using either a full identifier (``'updates/7/x86_64'``) or a short identifier (``'updates'``)
4724
-
4725
- Matchers
4726
- -----------------------------------------------------
4727
- This InSpec audit resource has the following matchers.
4728
-
4729
- be_enabled
4730
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
4731
- The ``be_enabled`` matcher tests if the package repository is a valid package source:
4732
-
4733
- .. code-block:: ruby
4734
-
4735
- it { should be_enabled }
4736
-
4737
- exist
4738
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
4739
- The ``exist`` matcher tests if the package repository exists:
4740
-
4741
- .. code-block:: ruby
4742
-
4743
- it { should exist }
4744
-
4745
- repo('name')
4746
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
4747
- The ``repo('name')`` matcher names a specific package repository:
4748
-
4749
- .. code-block:: ruby
4750
-
4751
- describe yum.repo('epel') do
4752
- ...
4753
- end
4754
-
4755
- repos
4756
- +++++++++++++++++++++++++++++++++++++++++++++++++++++
4757
- The ``repos`` matcher tests if a named repo, using either a full identifier (``'updates/7/x86_64'``) or a short identifier (``'updates'``), is included in the |yum| repo:
4758
-
4759
- .. code-block:: ruby
4760
-
4761
- its('repos') { should include 'some_repo' }
4762
-
4763
- Examples
4764
- -----------------------------------------------------
4765
- The following examples show how to use this InSpec audit resource.
4766
-
4767
- **Test if the yum repo exists**
4768
-
4769
- .. code-block:: ruby
4770
-
4771
- describe yum do
4772
- its('repos') { should exist }
4773
- end
4774
-
4775
- **Test if the 'base/7/x86_64' repo exists and is enabled**
4776
-
4777
- .. code-block:: ruby
4778
-
4779
- describe yum do
4780
- its('repos') { should include 'base/7/x86_64' }
4781
- its('epel') { should exist }
4782
- its('epel') { should be_enabled }
4783
- end
4784
-
4785
- **Test if a specific yum repo exists**
4786
-
4787
- .. code-block:: ruby
4788
-
4789
- describe yum.repo('epel') do
4790
- it { should exist }
4791
- it { should be_enabled }
4792
- end
4793
-
4794
-
4795
-
4796
-
4797
- .. |inspec resource| replace:: InSpec audit resource
4798
- .. |apt| replace:: Apt
4799
- .. |apache| replace:: Apache
4800
- .. |archlinux| replace:: Arch Linux
4801
- .. |debian| replace:: Debian
4802
- .. |fedora| replace:: Fedora
4803
- .. |redhat enterprise linux| replace:: Red Hat Enterprise Linux
4804
- .. |centos| replace:: CentOS
4805
- .. |redhat| replace:: Red Hat
4806
- .. |ubuntu| replace:: Ubuntu
4807
- .. |windows| replace:: Microsoft Windows
4808
- .. |unix| replace:: UNIX
4809
- .. |linux| replace:: Linux
4810
- .. |ppa| replace:: PPA
4811
- .. |json| replace:: JSON
4812
- .. |csv| replace:: CSV
4813
- .. |postgresql| replace:: PostgreSQL
4814
- .. |md5| replace:: MD5
4815
- .. |sha256| replace:: SHA-256
4816
- .. |selinux| replace:: SELinux
4817
- .. |gem| replace:: gem
4818
- .. |icmp| replace:: ICMP
4819
- .. |tcp| replace:: TCP
4820
- .. |udp| replace:: UDP
4821
- .. |inetd| replace:: inetd
4822
- .. |mysql| replace:: MySQL
4823
- .. |npm| replace:: npm
4824
- .. |bower| replace:: bower
4825
- .. |statsd| replace:: StatsD
4826
- .. |oneget| replace:: OneGet
4827
- .. |ruby| replace:: Ruby
4828
- .. |pip| replace:: pip
4829
- .. |ipv4| replace:: Internet Protocol version 4 (IPv4)
4830
- .. |ipv6| replace:: Internet Protocol version 6 (IPv6)
4831
- .. |powershell| replace:: Windows PowerShell
4832
- .. |openssh| replace:: Open SSH
4833
- .. |ssh| replace:: SSH
4834
- .. |nginx| replace:: Nginx
4835
- .. |yaml| replace:: YAML
4836
- .. |yum| replace:: Yum